combine randomizable encryption and signatures to a new primitive as follows: ...... add a new member B without learning his certificate provided by the authority .... A digital signature scheme secure against adaptive chosen-message attacks.
This is the full version0 of the extended abstract which appears in the 2011 International Conference on Theory and Practice in Public Key Cryptography PKC 2011 (6–9 march 2011, Taormina, Italy) D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi Eds. Springer-Verlag, LNCS 6571, pages 403–422.
Signatures on Randomizable Ciphertexts Olivier Blazy1 , Georg Fuchsbauer2,? , David Pointcheval1 , and Damien Vergnaud1 1
´ Ecole normale sup´erieure - CNRS - INRIA, Paris, France 2 Dept. Computer Science, University of Bristol, UK
Abstract Randomizable encryption allows anyone to transform a ciphertext into a fresh ciphertext of the same message. Analogously, a randomizable signature can be transformed into a new signature on the same message. We combine randomizable encryption and signatures to a new primitive as follows: given a signature on a ciphertext, anyone, knowing neither the signing key nor the encrypted message, can randomize the ciphertext and adapt the signature to the fresh encryption, thus maintaining public verifiability. Moreover, given the decryption key and a signature on a ciphertext, one can compute (“extract”) a signature on the encrypted plaintext. As adapting a signature to a randomized encryption contradicts the standard notion of unforgeability, we introduce a weaker notion stating that no adversary can, after querying signatures on ciphertexts of its choice, output a signature on an encryption of a new message. This is reasonable since, due to extractability, a signature on an encrypted message can be interpreted as an encrypted signature on the message. Using Groth-Sahai proofs and Waters signatures, we give several instantiations of our primitive and prove them secure under classical assumptions in the standard model and the CRS setting. As an application, we show how to construct an efficient non-interactive receipt-free universally verifiable e-voting scheme. In such a scheme a voter cannot prove what his vote was, which precludes vote selling. Besides, our primitive also yields an efficient roundoptimal blind signature scheme based on standard assumptions, and namely for the classical Waters signature.
1
Introduction
Homomorphic cryptographic primitives have already found numerous applications. A nice side effect of homomorphic encryption is that ciphertexts can be randomized : given a ciphertext, anyone can—without knowing the encrypted message—produce a fresh ciphertext of the same message. E-voting schemes make use of homomorphic encryption: users encrypt their votes under such a scheme (and add proofs and signatures), so combining the ciphertexts leads to an encryption of the election result. All signed encryptions are then made public and verifiable, enabling the users to check that their vote was counted, and anybody to verify the correctness of the final tally. Now, if instead of directly using a user’s ciphertext, the voting center first randomizes it and proves that it did so correctly, in a non-transferable way, then users are prevented from proving the content of their vote by opening it. This deters from vote selling, since someone buying a vote has no means to check whether the user voted as told. However, such a (non-transferable) proof of correct randomization is costly, and the randomization breaks most of the proofs of validity of the individual ciphertexts and signatures, and thus universal verifiability. More efficient techniques are thus desirable, and this is precisely the motivation for our new primitive: it allows to adapt signatures and proofs on the content of a ciphertext when the ciphertext is randomized, that is, when the content itself is not modified. This makes proofs of correct randomization obsolete, since after receiving an encrypted vote with a validity proof and a signature from a user, the voting center can randomize the ciphertext as well as the proof and signature accordingly, which preserves universal verifiability. However, because of the randomization of the encryption of the vote, the voter is not able to open nor link this encrypted ballot to anything: no receipt can be built. In contrast to e-voting, there are situations where encryption and signing are not performed by the same person; consider a user that encrypts a message and asks for a signature on the ciphertext. Assume now that the user can compute from this an actual signature on the message (rather than on an encryption thereof). The signature on the ciphertext could then be seen as an encrypted signature on the message, ? 0
´ Work done while at Ecole normale sup´erieure, Paris, France. With corrections in the Revisited Waters Signature
c IACR 2011.
which can be decrypted by the user. This resembles a blind signature, as the signer made a signature on an unknown message; but not quite, since he may later recognize the signature (knowing the random coins he used) and thus break blindness. A possible remedy are randomizable signatures, which allow to transform a given signature into a new one on the same message. Such signatures, a classical example being Waters signatures [Wat05], do not satisfy strong unforgeability, which requires that it be impossible even to create a new signature on a signed message. As we show, this apparent weakness is actually a feature, as it can be exploited to achieve unlinkability: the blindness property is achieved by randomizing a signature after reception. Fischlin [Fis06] gives a generic construction of round-optimal blind signatures which has been efficiently instantiated recently [Fuc09, AFG+ 10]. To prevent the signer from linking a blind signature to the signing session, they define a blind signature as a (non-interactive) proof of knowledge of a signature. This makes blind signatures significantly longer than signatures of the underlying scheme, which can be avoided using randomizable signatures. In Fischlin’s scheme a blind signature is a proof of knowledge of a signature on a ciphertext together with a proof that the ciphertext decrypts to the message. In the scheme in [Fuc09], the user obtains an actual signature on the message, of which he proves knowledge. We go one step further: again, the user can extract a signature on the message; but instead of making a proof of knowledge, it suffices to simply randomize it to make it unlinkable. A blind signature has therefore the same format as the underlying signatures and, in addition to being round-optimal, is thus short. Getting back to the receipt-free voting schemes, unlinkability of ciphertexts after randomization is guaranteed by the semantic security of the encryption scheme. If at the same time of randomizing the ciphertext, the voting center adapts the proofs (validity of the ciphertext and signature by the voter), the ciphertexts remain unlinkable, under the conditions that they are valid ciphertext and signed by a given voter. As a consequence, two valid encrypted votes signed by the same voter are unlinkable: there is no way to know nor prove (even for the voter) if they contain the same vote or any specific vote, which prevents the voter from selling his vote. Our contribution. We first introduce the notion of signatures on randomizable ciphertexts: given a signature on a ciphertext, anyone, knowing neither the signing key nor the encrypted message, can randomize the ciphertext and adapt the signature to the fresh encryption. A pair of a ciphertext and a signature on it can thus be randomized simultaneously and consistently. Since adapting a signature on one ciphertext to a signature on another ciphertext contradicts the standard notion of unforgeability for signatures, we define a weaker notion, which still implies the security of our applications: unforgeability of signatures on randomizable ciphertexts means that the only thing an adversary can do is produce signatures on encryptions of messages of which he already knows a signature on an encryption; but he cannot make a signature on an encryption of a new message. Formally, no adversary can, after querying signatures on ciphertexts of its choice, output a signature on a ciphertext whose decryption is different from the decryptions of all queried ciphertexts. We then extend our primitive to extractable signatures on randomizable ciphertexts: given the decryption key, from a signature on a ciphertext one can extract a signature on the encrypted plaintext. This enables the user in a blind-signature scheme to recover a signature on the message after the signer has signed an encryption of it. Instantiations. We give several instantiations of extractable signatures on randomizable ciphertexts, all of which are based on weak assumptions. Our constructions use the following building blocks, from which they inherit their security: Witness-indistinguishable Groth-Sahai proofs for languages over pairing-friendly groups [GS08] and Waters signatures derived from the scheme in [Wat05] and used in [BW06]. Since verification of Waters signatures is a statement of the language for Groth-Sahai proofs, these two building blocks combine smoothly. The first instantiation of our new primitive is in symmetric pairing-friendly elliptic curves and additionally uses linear encryption [BBS04]. Both unforgeability and semantic security of this construction 2
rely solely on the decision linear assumption (DLin). Due to space limitations, an instantiation with improved efficiency, in asymmetric bilinear groups, using ElGamal encryption and the SXDH variant of Groth-Sahai proofs is postponed to Appendices C and D. This setting requires to transfer Waters’ signature scheme to asymmetric groups. Whereas standard Waters signatures are secure under the computational Diffie-Hellman assumption (CDH), we prove our variant secure under a slightly stronger assumption, we term CDH+ , where some additional elements in the second group are given to the adversary. The following table details the size of a ciphertext-signature pair, where the parameter k denotes the bit length of a message: Symmetric Pairing G Waters + Linear 9k + 24
Asymmetric Pairing G1 G2 Waters + ElGamal 6k + 7 6k + 5
Applications. Using our new primitive, we immediately obtain a reasonably efficient round-optimal blindsignature scheme based on standard assumptions. Moreover, exploiting the fact that our encryption is homomorphic, we construct a non-interactive receipt-free universally verifiable e-voting scheme as follows: the user encrypts his vote, proves its validity, and sends the encryption, a signature on it, and the proof to the voting center. The latter can now randomize the ciphertext, adapt both the proof and the user’s signature, and publish them. After the results are announced, the user can verify his signature, which convinces him that the randomized ciphertext still contains his original vote due to our notion of unforgeability; however he cannot prove to anyone what his vote was. Related work. The issue of signing messages that are only available as an encryption was already addressed by Fuchsbauer in [Fuc10]. He introduced commuting signatures and verifiable encryption where, given a ciphertext, a signer can produce a verifiably encrypted signature on the plaintext. These encrypted signatures can be randomized and used to construct the first delegatable anonymous credentials [BCC+ 09] with a noninteractive delegation protocol. We avoid (randomizable) verifiable encryption of signatures by using signatures that are themselves randomizable. In our instantiation of round-optimal blind signatures, the blind signature is an actual signature rather than a verifiable encryption of it. Moreover, our construction is based on standard assumptions, whereas [Fuc10] relies on a “q-type” assumption. The efficiency of the two approaches is comparable when signing short messages, as required by our application to e-voting—since votes typically consist of only a few bits. We note however that the size of our ciphertexts is linear in the bit length of the message. Organization. In the next section, we present the primitive and the security model. We then give two instantiations in symmetric bilinear groups based on the decision linear assumption. We first fix ideas using standard Waters signatures and then define a variant which yields a significant efficiency improvement of our instantiation, proven secure under the same assumptions. Due to space limitations, our instantiation in asymmetric groups based on ElGamal encryption and an asymmetric variant of Waters signatures is deferred to the Appendices C and D. In the last section, we illustrate applications of our primitive.
2
Definitions
This section presents the global framework and the security model for our new concept of signatures on ciphertexts (or commitments). We thus first briefly recall the basics of signatures and encryption. We then combine both into a single scheme. 2.1
Notations for Signature and Encryption
Definition 1 (Encryption Scheme). E = (Setup, EKeyGen, Encrypt, Decrypt): – Setup(1k ), where k is the security parameter, generates the global parameters param of the scheme; 3
– EKeyGen(param) generates a pair of keys, the public (encryption) key pk and the associated private (decryption) key dk; – Encrypt(pk, m; r) produces a ciphertext c on the input message m ∈ M and the public key pk, using the random coins r ∈ Re ; – Decrypt(dk, c) decrypts the ciphertext c under the private key dk; it outputs the plaintext, or ⊥ if the ciphertext is invalid. Definition 2 (Signature Scheme). S = (Setup, SKeyGen, Sign, Verif): – Setup(1k ), where k is the security parameter, generates the global parameters param of the scheme; – SKeyGen(param) generates a pair of keys, the public (verification) key vk and the private (signing) key sk; – Sign(sk, m; s) produces a signature σ on the input message m, under the signing key sk, and using the random coins s ∈ Rs ; – Verif(vk, m, σ) checks whether σ is a valid signature on m, w.r.t. the public key vk; it outputs 1 if the signature is valid, and 0 otherwise. In Waters’ signature scheme, the signing algorithm first transforms the message to F = F(M ), where F is a hash function. Given F , the value of M is not required for signing and verification, but for the security guarantee. We could thus replace M by the pair (F, ΠM ), where ΠM is a proof of knowledge of a preimage of F under the function F (which we assume implicitly). We define Sign(sk, (F, ΠM ); s) and Verif(vk, (F, ΠM ), σ) that extend the above definitions. 2.2
Signatures on Ciphertexts
We now define a scheme of signatures on ciphertexts. Note that this definition can be adapted for commitments, when one uses a perfectly binding commitment scheme, which uniquely defines the committed input. Definition 3 (Signatures on Ciphertexts). SC = (Setup, SKeyGen, EKeyGen, Encrypt, Sign, Decrypt, Verif) is defined as follows: – Setup(1k ), where k is the security parameter, generates the global parameters parame and params for the associated encryption and signature schemes; – EKeyGen(parame ) generates a pair of keys, the encryption key pk and the associated decryption key dk; – SKeyGen(params ) generates a pair of keys, the verification key vk and the signing key sk; – Encrypt(pk, vk, m, r) produces a ciphertext c on input the message m ∈ M and the encryption key pk, using the random coins r ∈ Re . This ciphertext is intended to be later signed under the signing key associated to the verification key vk (the field for vk can be empty if the signing algorithm is universal and does not require a ciphertext specific to the signer); – Sign(sk, pk, c; s), on input a ciphertext c and a signing key sk, using the random coins s ∈ Rs , produces a signature σ, or ⊥ if the ciphertext c is not valid (w.r.t. pk, and possibly vk associated to sk); – Decrypt(dk, vk, c) decrypts the ciphertext c under the private key dk. It outputs the plaintext, or ⊥ if c is invalid (w.r.t. pk, and possibly vk); – Verif(vk, pk, c, σ) checks whether σ is a valid signature on c, w.r.t. the public key vk. It outputs 1 if the signature is valid, and 0 otherwise (possibly because of an invalid ciphertext c, with respect to pk, and possibly vk). Classical security notions could still be applied to this signature scheme, but we want ciphertexts and signatures to be efficiently malleable, as long as the plaintext is not affected. This will be useful for probabilistic schemes, and even more so for the randomizable scheme we will present below. In the classical definition of 4
Expuf SC,A (k) (parame , params ) ← Setup(1k ); SM := ∅ {(pki , dki )} ← EKeyGen(parame ); (vk, sk) ← SKeyGen(params ) (pkj , c, σ) ← ASign(sk,·,·) (params , parame , vk, {(pki , dki )}); m ← Decrypt(dkj , vk, c) IF m = ⊥ OR m ∈ SM OR Verif(vk, pkj , c, σ) = 0 RETURN 0 RETURN 1
Figure 1. Unforgeability of signatures on ciphertexts
existential unforgeability (EUF) [GMR88], a new signature on an already signed message is not considered a valid forgery—as opposed to strong unforgeability (SUF). When signing ciphertexts, EUF would consider a signature on a randomized ciphertext as a valid forgery. But if the ciphertext is equivalent to an already signed ciphertext (i.e. it encrypts the same plaintext), this may not be critical in some applications; in particular if we decrypt later anyway and a decrypted message-signature pair is unforgeable. We thus define the most appropriate unforgeability (UF) notion for signatures on ciphertexts: uf SC is unforgeable if, for any polynomial-time adversary A, the advantage Succuf SC,A (k) := Pr[ExpSC,A (k) = 1] is negligible, with Expuf SC,A defined in Figure 1. There, Sign(sk, ·, ·) is an oracle that takes as input a previously generated encryption key pki and a ciphertext c, and generates a signature σ on it (if the ciphertext is valid). It also updates the set SM of signed plaintexts with m = Decrypt(dki , vk, c), if the latter exists. Unforgeability in the above sense thus states that no adversary is able to generate a new valid ciphertextsignature pair for a ciphertext that encrypts a new message, i.e. different to those encrypted in ciphertexts that were queried to the signing oracle. 2.3
Signatures on Randomizable Ciphertexts
Our primitive is based on an encryption scheme and a signature scheme. Since we want randomizability, we start by enhancing these schemes with randomization algorithms satisfying certain properties. Definition 4 (Randomizable Encryption Scheme). Let (Setup, EKeyGen, Encrypt, Decrypt) be an encryption scheme with the following additional algorithm: – Random(pk, c; r0 ) produces a new ciphertext c0 , equivalent to the input ciphertext c, under the public key pk, using the additional random coins r0 ∈ Re . An encryption scheme is called randomizable if for any param ← Setup(1k ), (pk, dk) ← EKeyGen(param), message m ∈ M, coins r ∈ Re , and ciphertext c = Encrypt(pk, m; r), the following distributions are statistically $ $ indistinguishable: D0 = {r0 ← Re : Encrypt(pk, m; r0 )} and D1 = {r0 ← Re : Random(pk, c; r0 )}. Definition 5 (Randomizable Signature Scheme). Let (Setup, SKeyGen, Sign, Verif) be a signature scheme, with the following additional algorithm: – Random(vk, (F, ΠM ), σ; s0 ) produces a new signature σ 0 valid under vk from σ on a message M given as F = F(M ) and a proof ΠM of knowledge of M , using the additional random coins s0 ∈ Rs . A signature scheme is called randomizable if for any param ← Setup(1k ), (vk, sk) ← SKeyGen(param), message M ∈ M, proof of knowledge ΠM of the preimage M of F = F(M ), random s ∈ Rs , signature σ = Sign(sk, (F, ΠM ); s), the following distributions are statistically indistinguish$ $ able: D0 = {s0 ← Rs : Sign(sk, (F, ΠM ); s0 )} and D1 = {s0 ← Rs : Random(vk, (F, ΠM ), σ; s0 )}. 5
The usual unforgeability notions apply (except strong unforgeability, since the signature is malleable, by definition). We now extend the randomization to signatures on randomizable ciphertexts: Definition 6 (Randomizable Signature on Randomizable Ciphertexts). Let (Setup, SKeyGen, EKeyGen, Encrypt, Sign, Decrypt, Verif) be a scheme of signatures on ciphertexts, with the following additional algorithm: – Random(vk, pk, c, σ; r0 , s0 ) outputs a ciphertext c0 that encrypts the same message as c under the public key pk, and a signature σ 0 on c0 . Further inputs are a signature σ on c under vk, and random coins r0 ∈ Re and s0 ∈ Rs . A signature on ciphertexts is called randomizable if for any global parameters (parame , params ) ← Setup(1k ), keys (pk, dk) ← EKeyGen(parame ) and (vk, sk) ← SKeyGen(params ), m ∈ M, and random coins r ∈ Re and s ∈ Rs , for c = Encrypt(pk, vk, m; r) and σ = Sign(sk, pk, c; s) the following distributions D0 are statistically indistinguishable: D0 = {r0 ← Re ; s0 ← Rs : (c0 = Encrypt(pk, vk, m; r0 ), σ 0 = Sign(sk, pk, c0 ; s0 ))} $
$
D1 = {r0 ← Re ; s0 ← Rs : (c0 , σ 0 ) = Random(vk, pk, c, σ; r0 , s0 )} $
$
We will denote by 1e and 1s the neutral elements in Re and Rs that keep the ciphertexts and/or signatures unchanged after randomization. If Re and Rs are groups (which will be the case for all our schemes, with addition being the group operation) and if we show that it is possible to additively update the randomness then this proves that the schemes are randomizable. The same unforgeability notion as above applies. If an additional extraction algorithm exists for the signature, we get extractable signatures on ciphertexts (defined below). Then, our above unforgeability notion for signatures on ciphertexts follows from the standard unforgeability notion on signatures. 2.4
Extractable Signatures on Randomizable Ciphertexts
For a scheme of signatures on randomizable ciphertexts (SRC) SC, we define the following additional algorithm: – SigExtSC (dk, vk, σ), which is given a decryption key, a verification key and a signature, outputs a signature σ0. Let us assume that there is a signature scheme S where SetupS is the projection of SetupSC on the signature component and SKeyGenS = SKeyGen. The scheme SC is extractable if the following holds: for any (parame , params ) ← SetupSC (1k ), (pk, dk) ← EKeyGen(parame ), (vk, sk) ← SKeyGen(params ) = SKeyGenS (params ), m ∈ M, random coins r ∈ Re , s ∈ Rs , for c = EncryptSC (pk, vk, m; r) and σ = SignSC (sk, pk, c; s), the output σ 0 = SigExtSC (dk, vk, σ) is a valid signature on m under vk, that is, Verif S (vk, m, σ 0 ) is true. An extractable SRC scheme SC allows the following: a user can encrypt a message m and obtain a signature σ on the ciphertext c. From (c, σ) the owner of the decryption key can now not only recover the encrypted message m, but also a signature σ 0 on the message m, using the functionality SigExtSC . The signature σ on the ciphertext c could thus be seen as an encryption of a signature on the message m: for extractable signatures on ciphertexts, encryption and signing can thus be seen as commutative (see Figure 2). 2.5
Strong Extractability
We can immediately apply the notion of extractable signatures on randomizable ciphertexts to build a oneround classical blind signature scheme, but we can even consider more complex scenarios, such as three-player blind signature schemes (see Section 5) with applications to e-cash systems. 6
SignSC
σ(C) C
dk, vk
Ra
RandomS
A message M can be encrypted using random coins r (EncryptSC ). The signer can sign this ciphertext (SignSC ) and anyone can randomize the pair (RandomSC ). A signature on the plaintext can be obtained using either dk (for SigExtSC ) or the coins r (if σ(C) has not been randomized); the result is the same as a signature of M by the signer (SignS ). S
σ(M )
SigExtSC r
r0
C
r0 ,s nd 0 om
s0
RandomE
sk, pk, c; s
sk; s SignS
M
EncryptSC pk, (vk); r r dk DecryptE
Figure 2. (Strong) extractable signatures on randomizable ciphertexts
As already sketched above, we may have an additional property: as for encryption, knowing the random coins used for encryption may suffice to decrypt. After encrypting a message m as c, one knows the random coins r used for the encryption. In all our instantiations we have that σ is the encryption of σ 0 with the same coins r used to encrypt the message. The user who encrypted m is thus able to extract σ 0, and not only the owner of the decryption key. A system (SC, S) with such a property will be called a Strong Extractable (Randomizable) Signature on Ciphertexts (augmented by the dotted lines in Figure 2).
3
A First Instantiation
Our first construction combines linear encryption [BBS04] and Waters signatures [Wat05] as follows: given an encryption of the “Waters hash” F(M ) of a message M (and some additional values), the signer can make an encryption of a signature on M . Decrypting the latter leads thus to a classical Waters signature on M , which will provide extractability. Before presenting the final scheme in Section 4, we first fix ideas by combining linear encryption and standard Waters signatures. We then modify the Waters signature to significantly improve efficiency of the scheme. The constructions we give here make all use of a symmetric pairing, whereas we give an instantiation for (more efficient) asymmetric pairings in Appendices C and D. 3.1
Assumptions
Our constructions rely on classical assumptions: CDH for the unforgeability of signatures and DLin for the semantic security of the encryption scheme, as well as soundness of the proofs: Definition 7 (Computational Diffie-Hellman assumption (CDH)). Let G be a cyclic group of prime order p. The CDH assumption in G states that for a generator g of G and random a, b ∈ Zp , given (g, g a , g b ) it is hard to compute g ab . Definition 8 (Decision Linear assumption (DLin)). Let G be a cyclic group of prime order p. The DLin assumption states that given (g, g x , g y , g xa , g yb , g c ) for random scalars a, b, x, y, c ∈ Zp , it is hard to decide whether c = a + b. When (g, u = g x , v = g y ) is fixed, a tuple (ua , v b , g a+b ) is called a linear tuple w.r.t. (u, v, g), whereas a tuple (ua , v b , g c ) for a random and independent c is called a random tuple. 7
3.2
Basic Primitives
We briefly sketch the basic building blocks: commitments, linear encryption and the Waters signature. They are described in more detail in Appendix B. They need a pairing-friendly environment (p, G, GT , e, g), where e : G × G → GT is an admissible bilinear map, for two groups G and GT , of prime order p, generated by g and gt = e(g, g) respectively. From the basic descriptions, it follows immediately that the three primitives are randomizable. Groth-Sahai Commitments. In the following, we will commit to values (group elements or scalars) and do proofs that they satisfy certain relations. We will use Groth-Sahai commitments that are secure under the DLin assumption: The commitment key is of the form (u1 = (u1,1 , 1, g), u2 = (1, u2,2 , g), u3 = (u3,1 , u3,2 , u3,3 )) ∈ $ $ (G3 )3 and is set up by choosing u1,1 , u2,2 ← G and λ, µ ← Z∗p and setting u3 = uλ1 uµ2 = (u3,1 = uλ1,1 , u3,2 = uµ2,2 , u3,3 = g λ+µ ), which makes u3 a linear tuple w.r.t. (u1,1 , u2,2 , g). $
– To commit a group element X ∈ G, choose random s1 , s2 , s3 ← Zp and set 1 3 2 3 3 C(X) := (1, 1, X) us11 us22 us33 = (us1,1 · us3,1 , us2,2 · us3,2 , X · g s1 +s2 · us3,3 ).
– To commit a scalar x ∈ Zp , choose random coins γ1 , γ2 ∈ Zp and set x+γ2 2 1 2 C 0 (x) := (ux3,1 , ux3,2 , (u3,3 g)x ) uγ11 uγ32 = (ux+γ · uγ1,1 , ux+γ · g x+γ1 ). 3,1 3,2 , u3,3
When u3 is a linear tuple these commitments are perfectly binding and the proofs will be perfectly sound. The committed values can even be extracted if the randomness of the commitment key is known (a scalar commitment allows extraction of x for small x only). However, if u3 is a random tuple (which is indistinguishable under DLin), the commitments become perfectly hiding and the proofs perfectly witness-indistinguishable. Waters Signatures. The Waters signature scheme is formally described in Appendix B.2. The public $ $ parameters are a generator h ← G and a vector u = (u0Q , . . . , uk ) ← Gk+1 , which defines the Waters hash of k Mi k a message M = (M1 , . . . , Mk ) ∈ {0, 1} as F(M ) = u0 i=1 ui . A public key is of the form vk = Y = g y , $ with corresponding secret key sk = Z = hy , for a random y ← Zp . $ The signature on M is σ = σ1 = Z · F(M )s , σ2 = g −s , for some random s ← Zp . It can be verified by checking e(g, σ1 ) · e(F(M ), σ2 ) = e(Y, h). We note that signing and verifying can be performed without knowing the message M itself; it suffices to know F = F(M ). However, existential unforgeability [Wat05] (against chosen-message attacks under the CDH assumption) is for the pair (M, σ). As a consequence, if we work directly with F(M ), we will need to add a proof of knowledge ΠM of M to guarantee unforgeability. Since our goal is to construct randomizable signatures and encryption, we will use Groth-Sahai proofs for a commitment CM of M (bit-by-bit to make it extractable: CM = (C 0 (M1 ), . . . , C 0 (Mk ))) and a proof that F is actually the evaluation of F on the committed M . Such a proof can be found in (the full version of) [FP09]. Linear Encryption. We formally describe linear encryption in Appendix B.3. The secret key dk is a pair of random scalars (x1 , x2 ) and the public key is pk = (X1 = g x1 , X2 = g x2 ). One encrypts a message M ∈ G $ as c = c1 = X1r1 , c2 = X2r2 , c3 = g r1 +r2 · M , for random scalars r1 , r2 ← Zp . To decrypt, one computes 1/x
1/x
M = c3 /(c1 1 c2 2 ). As shown by Boneh, Boyen and Shacham [BBS04], this scheme is semantically secure against chosen-plaintext attacks (IND-CPA) under the DLin assumption. 8
3.3
Waters Signature on Linear Ciphertexts
Using Waters signatures, we will sign a linear encryption of F = F(M ). We note that from a “ciphertext” using the decryption key, one can only extract F(M ) (from which M can be obtained for small message spaces). As mentioned before, signatures remain unforgeable on F if in addition a proof ΠM of knowledge of M such that F = F(M ) is given. The keys are independent Waters signature keys (vk = Y = g y and sk = Z = hy ), and linear encryption keys (dk = (x1 , x2 ), pk = (X1 = g x1 , X2 = g x2 )). Afirst idea would be to define a signature on an encrypted message c = c1 = X1r1 , c2 = X2r2 , c3 = g r1 +r2 ·F(M ) as σ = (cs1 , cs2 , Z ·cs3 ). However, there are two problems: – While the randomization of the signing coins s into s + s0 is easy from c, the randomization of the encryption coins r into r + r0 requires the knowledge of the values X1s , X2s and g s (see Section 4.2 for how to randomize). We therefore include them in the signature. – For the reduction of our notion of unforgeability to the security of Waters’ scheme, we need to simulate the oracle returning signatures on ciphertexts having a Waters signature oracle. We can first extract M from the proof of knowledge ΠM and submit M to our oracle. From a reply (Z ·F(M )s , g −s ), we then have to generate σ = (cs1 , cs2 , Z · cs3 ; X1s , X2s , g s ) for an unknown s. We could do so if we knew the randomness (r1 , r2 ) for c1 , c2 and c3 ; hence we add another proof to the extended ciphertext: Πr proves knowledge of r1 and r2 , used to encrypt F(M ), which consists of bit-by-bit commitments C1 = (C 0 (r1,1 ), . . . , C 0 (r1,` )) and C2 = (C 0 (r2,1 ), . . . , C 0 (r2,` )), where ` is the bit-length of the order p, and proofs that each sub-commitment is indeed a bit commitment. The global proof on the message and the randomness, which we denote by Π = (ΠM , Πr ), can be done with randomizable commitments and proofs, using the Groth-Sahai methodology [GS08, FP09], and consists of 9k + 18` + 6 group elements (where k and ` are the respective bit lengths of messages and of the order of G). Such an extended ciphertext (c, Π) can then be signed, after a test of validity of the proof Π. Decryption and verification follow straight from the corresponding algorithms for Waters signatures and linear encryption. More interestingly, the above signature on randomizable ciphertexts is extractable: on a valid signature, if 1/x 1/x one knows the decryption key dk = (x1 , x2 ), one can compute Σ = (Σ1 = σ3 /(σ1 1 σ2 2 ), Σ2 = σ6−1 ), which is a valid signature on M : 1/x1 1/x2 σ2 ) −s
Σ1 = σ3 /(σ1
= Z · g s(r1 +r2 ) · F(M )s /(g sr1 g sr2 ) = Z · F(M )s
Σ2 = σ6−1 = g
Note that without knowing the decryption key, the same can be obtained from the coins (r1 , r2 ) used for encryption: Σ = (Σ1 = σ3 /σ6r1 +r2 , Σ2 = σ6−1 ). From the randomization formula of the basic schemes, we easily get the randomization property of the above Waters signature on linear ciphertexts. One shows unforgeability in the UF sense under the CDH assumption in G: extractability provides a forgery on a new message, but only known as F = F(M ). Since one also has to provide a valid proof ΠM that contains commitments to the bits of message M , the knowledge of the trapdoor (λ, µ) for the commitments allows to recover M too, which leads to an existential attack of the basic Waters signature scheme. The complete description and security analysis can be found in Appendix B.
4
An Efficient Instantiation
The construction in the previous section is a concrete and feasible signature on randomizable ciphertexts, which is furthermore extractable, and even in a strong way. We have thus achieved our goal, and all the applications we had in mind can benefit from it. The main drawback, from an efficiency point of view, are the bit-by-bit commitments CM , C1 and C2 of M, r1 and r2 , respectively. Whereas the message M to be signed 9
could be short (and even a single bit for voting schemes), r1 and r2 are necessarily large (the bit length of the order of the group). For a k-bit long message M , ΠM (composed of CM and a proof) consists of 9k + 2 group elements. The random coins r1 and r2 being `-bit long, Πr (which includes C1 , C2 and the proof) requires 18` + 4 group elements. We now revisit the Waters signature scheme, which will allow us to remove the costly bit-by-bit commitments C1 and C2 . The main idea for the construction is to build a scheme which is unforgeable against a stronger kind of chosen-message attack under the same assumption: the adversary can submit “extended messages” (M, R1 := g r1 , R2 := g r2 , Y1 = Y r1 , Y2 = Y r2 ) and the oracle replies with the tuple (sk · (F(M )R1 R2 )s , g −s , R1−s , R2−s ). We name this attack chosen-extended-message attack and note that this security notion implies the classical one, since querying (M, 1G , 1G , vk) yields a signature on M . Intuitively, the extra parameters (R1 , R2 ) will allow simulation of the signature on the ciphertext without having to know the random coins r1 and r2 explicitly. 4.1
Revisited Waters Signature
Our variant is defined by the four algorithms. – Setup(1k ): The scheme is defined over a bilinear group (p, G, GT , e, g), where e : G × G → GT is an admissible bilinear map, G and GT are groups of prime order p, generated by g and e(g, g) respectively. We will sign messages M = (M1 , . . . , Mk ) ∈ {0, 1}k . The parameters are a randomly chosen generator Q $ $ i h ← G and a vector u = (u0 , . . . , uk ) ← Gk+1 , which defines the Waters Hash as F(M ) = u0 ki=1 uM i . We set param := (p, G, GT , e, g, h, u). $ – SKeyGen(param): Choose a random scalar y ← Zp , which defines the public key vk = Y = g y , and the y secret key as sk = Z = h . – Sign(sk = Z, M, R1 , R2 , Y1 , Y2 ; s): First check the consistency of (R1 , R2 , Y1 , Y2 ): if e(R1 , Y ) = e(g, Y1 ) and e(R2 , Y ) = e(g, Y2 ) then this guarantees that there exists (r1 , r2 ) such that Ri = g ri , Yi = Y ri . Choose a $ random s ← Zp and define the signature as σ = σ1 = Z · (F(M )R1 R2 )s , σ2 = g −s , σ3 = R1−s , σ4 = R2−s . Again, we may replace the input message M by the pair (F(M ), ΠM ). – Verif(vk = Y, M, R1 , R2 , Y1 , Y2 , σ): Check whether e(g, σ1 ) · e(F(M )R1 R2 , σ2 ) = e(Y, h), e(g, σ3 ) = e(σ2 , R1 ) and e(g, σ4 ) = e(σ2 , R2 ), as well as the consistency of (R1 , R2 , Y1 , Y2 ). To randomize a signature, we define Random(vk, (F, ΠM ), R1 , R2 , Y1 , Y2 , σ = (σ1 , σ2 , σ3 , σ4 ); s0 ) to output 0 0 0 0 $ σ 0 = (σ1 · (F R1 R2 )s , σ2 · g −s , σ3 · R1−s , σ4 · R2−s ), for a random s0 ← Zp . This simply changes the initial randomness s to s + s0 mod p. Hence, if s0 is uniform then the internal randomness of σ 0 is uniform in Zp . Theorem 9. Our variant of the Waters signature scheme is randomizable, and existentially unforgeable under chosen-extended-message attacks if the CDH assumption holds. The proof of unforgeability is similar to that for the original Waters scheme and can be found in Appendix A. 4.2
Signatures on Encrypted Messages
In our new scheme, we will sign a linear encryption of F = F(M ) using our Revisited Waters signatures: – Setup(1k ): The scheme is based on a bilinear group (p, G, GT , e, g), which constitutes the parameters $ parame for encryption. For the signing part, we require moreover a vector u = (u0 , . . . , uk ) ← Gk+1 , and $ a generator h ← G and define params := (p, G, GT , e, g, h, u). $ – EKeyGen(parame ): Choose two random scalars x1 , x2 ← Zp , which define the secret key dk = (x1 , x2 ), and the public key as pk = (X1 = g x1 , X2 = g x2 ). 10
$
– SKeyGen(params ): Choose a random scalar y ← Zp , which defines the public key as vk = Y = g y , and the secret key as sk = Z = hy . – Encrypt pk = (X1 , X2 ), vk = Y, M ; (r1 , r2 ) : For a message M ∈ {0, 1}k and random scalars r1 , r2 ∈ Zp , define the ciphertext as c = c1 = X1r1 , c2 = X2r2 , c3 = g r1 +r2 · F(M ) . To guarantee our notion of unforgeability of signatures on ciphertexts, we add proofs of knowledge of M and an image of r1 and r2 : • Proof Πr contains the commitments Cr = (C1 = C(Y r1 ), C2 = C(Y r2 )), from which the simulator can extract Y1 , Y2 in the reduction (see below). Πr moreover contains proofs of consistency: e(hCi i, Xi ) = e(ci , Y ). These equations are linear pairing product equations. We require 6 group elements for the commitments and 6 for the proofs, thus 12 group elements instead of 18` + 4 in the previous construction. • Proof ΠM proves knowledge of M s.t. F(M ) is encrypted in c. It consists of a bit-by-bit commitment CM = (C 0 (M1 ), . . . , C 0 (Mk )) and proofs that each committed value is a bit (6k group elements); Q hM i moreover, a proof that c3 is well-formed: e(c3 , Y ) = e(u0 i∈{1,...,k} ui i ), Y ) · e(hC1 ihC2 i, g), which is a linear pairing product equation (3 additional group elements). ΠM is therefore composed of 9k + 3 group elements. The global proof (containing the commitments) Π consists therefore of 9k + 15 group elements (instead of 9k + 18` + 6 when using the original Waters scheme), where k and ` are the bit lengths of the message M and elements of G, respectively. – Sign sk = Z, pk = (X1 , X2 ), (c = (c1 , c2 , c3 ), Π); s : To sign a ciphertext c = (c1 , c2 , c3 ), first check if Π is valid, and if so, output σ = (cs1 , cs2 , Z · cs3 ; X1s , X2s , g s ) . – Decrypt dk = (x1 , x2 ), vk = Y, (c = (c1 , c2 , c3 ), Π) : On a valid ciphertext (verifiable via Π), knowing the 1/x
1/x
decryption key dk = (x1 , x2 ), one can obtain F = F(M ) since F = c3 /(c1 1 c2 2 ). – Verif vk = Y, pk = (X1 , X2 ), (c = (c1 , c2 , c3 ), Π), σ = (σ1 , σ2 , σ3 ; σ4 , σ5 , σ6 ) : In order to verify the signature, one verifies Π and checks whether the following pairing equations hold: e(σ3 , g) = e(h, Y ) · e(c3 , σ6 ) and e(σ1 , X1 ) = e(c1 , σ4 )
e(σ2 , X2 ) = e(c2 , σ5 )
e(σ1 , g) = e(c1 , σ6 )
e(σ2 , g) = e(c2 , σ6 )
– Random vk = Y, pk = (X1 , X2 ), (c = (c1 , c2 , c3 ), Π), σ; r10 , r20 , s0 : In order to randomize the signature and the ciphertext, the algorithm outputs: 0 0 r0 r0 c0 = c1 · X1 1 , c2 · X2 2 , c3 · g r1 +r2 r0
0
r 0 s0
0
r0
r 0 s0
0
r0 +r0
0
0
0
σ 0 = σ1 · cs1 · σ41 · X1 1 , σ2 · cs2 · σ52 · X2 2 , σ3 · cs3 · σ61 2 · g (r1 +r2 )s 0 0 0 σ4 · X1s , σ5 · X2s , σ6 · g s together with a randomization Π 0 of Π. 1/x 1/x – SigExt dk = (x , x ), vk, (c = (c , c , c ), Π), σ : Return the following: Σ = Σ1 = σ3 /(σ1 1 σ2 2 ), Σ2 = 1 2 1 2 3 σ6−1 , which is a valid signature on M : 1/x1 1/x2 σ2 ) −s
Σ1 = σ3 /(σ1
Σ2 = σ6−1 = g
= Z · g s(r1 +r2 ) · F(M )s /g sr1 g sr2 = Z · F(M )s ,
.
The same can be obtained from the coins (r1 , r2 ) used for encryption. Theorem 10. The above scheme is randomizable and unforgeable (in the UF sense) under the CDH assumption in G. 11
Proof. Correctness of Random follows from inspection of the construction of c0 and σ 0 and the fact that Groth-Sahai proofs are randomizable. Since we have proved that our variant of Waters signatures is secure under a stronger kind of attack, we can use it for an appropriate simulation of the signing oracle. The full proof can be found in Appendix A. As motivated when introducing the additional elements in the signature query, from a valid signing query, our simulator can extract M , but also Ri = g ri , Yi = Y ri (but not the scalars r1 and r2 ), partly from the commitment and partly using dk. It adds M to the set SM and then queries SignS (sk, M, R1 , R2 , Y1 , Y2 ) to the extended-message signing oracle to obtain σ 0 = (σ10 = sk · (F(M )R1 R2 )s , σ20 = g −s , σ30 = R1−s , σ40 = R2−s ). It then returns the following to the adversary: σ1 = σ30 −x1 = g sr1 x1 = X1sr1 , σ2 = σ40 −x2 = g sr2 x2 = X2sr2 , σ3 = σ10 = sk · F(M )s · g s(r1 +r2 ) . σ= σ4 = σ30 −x1 = X1s , σ5 = σ40 −x2 = X2s , σ6 = σ20 −1 = g s Finally, if the adversary wins by outputting a ciphertext and a signature, we can extract a signature on the plaintext and the plaintext from the proof of knowledge. t u
5
Applications
We have introduced extractable signatures on randomizable ciphertexts (ESRC), a new primitive that has many applications to anonymity. A first straightforward application is to blind signatures, which yields a similar (yet more efficient) result to [MSF10, GK08]; however, this does not exploit all the power of our new tool. A more interesting application is to receipt-free voting schemes. We discuss this in the following and then show how to construct variants of blind signatures from our primitive. 5.1
Non-interactive Receipt-Free E-voting
In voting schemes, anonymity is a crucial property: nobody should be able to learn the content of my vote. This can be achieved with encryption schemes. However, this does not address the problem of vote sellers: a voter may sell his vote and then reveal/prove the content of his encrypted vote to the buyer. He could do so by simply revealing the randomness used when encrypting the vote, which allows to verify that a claimed message was encrypted. A classical approach to prevent vote selling uses heavy interactive techniques based on randomizable encryption schemes and designated-verifier zero-knowledge proofs: the voter encrypts his vote v as c and additionally signs it to bar any modification by the voting center. But before doing so, the voting center randomizes c into c0 (which cannot be opened by the voter anymore since he no longer knows the random coins) and then proves that c and c0 contain the same plaintext. This proof must be non-transferable, otherwise the voter could open c (by revealing the random coins) and transfer the proof to the buyer, which together yields a proof of opening for c0 . The used proof is thus a designated-verifier zero-knowledge proof. Finally, after receiving c0 and being convinced by the proof, the voter signs c0 . Signatures on ciphertexts that can be randomized allow to avoid interactions altogether: all a voter does is encrypt his vote v as c and make a signature σ on c. The voting center can now consistently randomize both c and σ as c0 and σ 0 , so that the randomness used in c0 is unknown to the signer, who is however guaranteed that the vote was not modified by the voting center because of the unforgeability notion for ESRC: nobody can generate a signature on a ciphertext that contains a different plaintext. We have thus constructed a non-interactive receipt-free voting scheme. Since our ESRC candidates use not only randomizable but homomorphic encryption schemes (the encryption of the vote is actually the bit-commitments of the Mi ’s, which are either linear encryptions or ElGamal encryptions of g Mi ), classical techniques for voting schemes with homomorphic encryption and threshold 12
decryption can be used [BFP+ 01]: there is no risk for the signature on the ciphertext to be converted into a signature on the plaintext if the board of authorities uses the decryption capability on the encrypted tally only. If the vote consists of one box to be checked, the size of the ballot is only 33 group elements in the instantiation with linear encryption, and even smaller for the instantiation using ElGamal detailed in Appendix D: 15 G1 elements and 9 G2 elements. Furthermore, if the vote consists of several (say k) boxes to be checked or not, with various constraints, the ballot size grows only slowly in k, since while the votes are committed bit by bit, the proofs can be global. Hence, the size basically corresponds to the signature on a ciphertext of a k-bit message. The extended ciphertexts already contains proofs that plaintexts are bits only, and all the proofs are randomizable. 5.2
Blind Signatures and Variants
Since the beginning of e-cash, blind signatures have been their most important tool. They provide an interactive protocol between a bank and a user, letting a user have a message signed by the bank without revealing it. Moreover, the message-signature pair obtained by the user is uncorrelated to the view of the protocol execution by the bank, which enables the user to withdraw anonymous coins. Several signature schemes have been turned into blind signature schemes. The best-known is the first scheme by Chaum [Cha83], which is derived from RSA signatures [RSA78], and has been proven secure [BNPS01] under the one-more RSA assumption in the random-oracle model [BR93]. As defined in [PS96,PS00], for e-cash, the security requirement is the resistance to one-more forgeries: after interacting q times with the signer, an adversary should not be able to output more than q valid signed messages. With ESRC, one can build a computationally blind signature scheme: the user encrypts the message m into the ciphertext c under his own key, and asks for a signature on c. He gets back a signature on the ciphertext c from which he can then extract σ, a valid signature on m. This signature is not yet blind, since the signer knows the coins used to compute it, and can thus link σ to the transcript. However, due to the randomizability of the signature, the user can randomize σ into σ 0 that is a secure blind signature: – the blindness property relies on the semantic security of the encryption scheme (here DLin) and the randomization, which is information-theoretic; – the one-more unforgeability relies on unforgeability of the signature scheme (here CDH), since the user cannot generate a signature for a message that has not been asked, encrypted, to the signer. Of course, we do not obtain strong one-more unforgeability (where several signatures on the same message would be counted several times), which is impossible with randomizable signatures. This construction is similar to [GK08] but with better efficiency and much less bandwidth consumption since the latter relies on inefficient NIZK techniques [DFN06]. One-Round Fair Blind Signatures. With a strong extractable randomizable signature on ciphertexts, we get more than just standard blind signatures: we have fair blind signatures [SPC95]. Using a strong ESRC scheme, the user does not need to encrypt m under his own key, since the random coins suffice to extract the signature. He can thus encrypt the message m under a tracing authority’s key. Using the decryption key, the authority can extract the message from c (or at least check if c encrypts a purported message) w.r.t. the signed message and thus revoke anonymity in case of abuse. One-Round Three-Party Blind Signatures. Our primitive also allows to design a three-party blind signature scheme, which we define as follows: a party A makes a signer C sign a message m for B so that neither A nor C can later link the final message-signature pair (for A among all the signatures for the message m, and for C among all the valid message-signature pairs). To realize this primitive, the party A encrypts 13
the message m under the key of B, and sends it to the signer C, who signs the ciphertext and applies the randomization algorithm to the ciphertext-signature pair (this is useful only in case A and B are distinct, as then A does not know the randomness for encryption and therefore cannot extract a signature). C sends the encrypted signature to B (possibly via A, who cannot decrypt anyway) and B also applies the randomization algorithm (so that C does not know the random coins used for signing) and then extracts the signature. With such a 2-flow scheme, B can obtain a signature, unknown to A, on a message chosen by A, unknown and even indistinguishable from any message-signature pair to C. Applied to group signatures, such a primitive allows a group manager A to add a new member B without learning his certificate provided by the authority C: A can define the rights in the message, but only B receives the certificate generated by C. Additional Properties. Using our instantiation of ESRC, we can define an additional trapdoor: the extraction key for the commitments. It is not intended to be known by anybody (except the simulator in the security analysis), since the commitment key is in the CRS, but one could consider a scenario where it is given to a trusted authority that gets revocation capabilities. Our construction is similar to previous efficient round-optimal blind signatures [Fuc09, AFG+ 10] in that it uses Groth-Sahai proofs. However, we rely on standard assumptions only, and our resulting blind signature is a standard Waters signature, which is much shorter (2 group elements!) than the proof of knowledge of a signature used in all previous constructions.
Acknowledgments This work was supported by the French ANR-07-TCOM-013-04 PACE Project, by the European Commission through the ICT Program under Contract ICT-2007-216676 ECRYPT II and by EADS.
References [AFG+ 10] M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo. Structure-preserving signatures and commitments to group elements. In T. Rabin, editor, Advances in Cryptology – CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, pages 209–236. Springer, Aug. 2010. [BBS04] D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In M. Franklin, editor, Advances in Cryptology – CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 41–55. Springer, Aug. 2004. [BCC+ 09] M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, and H. Shacham. Randomizable proofs and delegatable anonymous credentials. In S. Halevi, editor, Advances in Cryptology – CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 108–125. Springer, Aug. 2009. [BFP+ 01] O. Baudron, P.-A. Fouque, D. Pointcheval, J. Stern, and G. Poupard. Practical multi-candidate election system. In 20th ACM Symposium Annual on Principles of Distributed Computing, pages 274–283. ACM Press, Aug. 2001. [BNPS01] M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko. The power of RSA inversion oracles and the security of Chaum’s RSA-based blind signature scheme. In P. F. Syverson, editor, FC 2001: 5th International Conference on Financial Cryptography, volume 2339 of Lecture Notes in Computer Science, pages 319–338. Springer, Feb. 2001. [BR93] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In V. Ashby, editor, ACM CCS 93: 1st Conference on Computer and Communications Security, pages 62–73. ACM Press, Nov. 1993. [BW06] X. Boyen and B. Waters. Compact group signatures without random oracles. In S. Vaudenay, editor, Advances in Cryptology – EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, pages 427–444. Springer, May / June 2006. [Cha83] D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R. L. Rivest, and A. T. Sherman, editors, Advances in Cryptology – CRYPTO’82, pages 199–203. Plenum Press, New York, USA, 1983. [DFN06] I. Damg˚ ard, N. Fazio, and A. Nicolosi. Non-interactive zero-knowledge from homomorphic encryption. In S. Halevi and T. Rabin, editors, TCC 2006: 3rd Theory of Cryptography Conference, volume 3876 of Lecture Notes in Computer Science, pages 41–59. Springer, Mar. 2006. [Fis06] M. Fischlin. Round-optimal composable blind signatures in the common reference string model. In C. Dwork, editor, Advances in Cryptology – CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pages 60–77. Springer, Aug. 2006.
14
[FP09]
G. Fuchsbauer and D. Pointcheval. Proofs on encrypted values in bilinear groups and an application to anonymity of signatures. In H. Shacham and B. Waters, editors, PAIRING 2009: 3rd International Conference on Pairing-based Cryptography, volume 5671 of Lecture Notes in Computer Science, pages 132–149. Springer, Aug. 2009. [Fuc09] G. Fuchsbauer. Automorphic signatures in bilinear groups and an application to round-optimal blind signatures. Cryptology ePrint Archive, Report 2009/320, 2009. http://eprint.iacr.org/. [Fuc10] G. Fuchsbauer. Commuting signatures and verifiable encryption and an application to non-interactively delegatable credentials. Cryptology ePrint Archive, Report 2010/233, 2010. http://eprint.iacr.org/. [GK08] K. Gjøsteen and L. Kr˚ akmo. Round-optimal blind signatures from Waters signatures. In J. Baek, F. Bao, K. Chen, and X. Lai, editors, ProvSec, volume 5324 of Lecture Notes in Computer Science, pages 112–126. Springer, 2008. [GMR88] S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, Apr. 1988. [GS08] J. Groth and A. Sahai. Efficient non-interactive proof systems for bilinear groups. In N. P. Smart, editor, Advances in Cryptology – EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pages 415–432. Springer, Apr. 2008. [HK08] D. Hofheinz and E. Kiltz. Programmable hash functions and their applications. In D. Wagner, editor, Advances in Cryptology – CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pages 21–38. Springer, Aug. 2008. [MSF10] S. Meiklejohn, H. Shacham, and D. M. Freeman. Limitations on transformations from composite-order to prime-order groups: The case of round-optimal blind signatures. In M. Abe, editor, Proceedings of Asiacrypt 2010, volume 6477 of Lecture Notes in Computer Science, pages 519–538. Springer, 2010. [PS96] D. Pointcheval and J. Stern. Provably secure blind signature schemes. In K. Kim and T. Matsumoto, editors, Advances in Cryptology – ASIACRYPT’96, volume 1163 of Lecture Notes in Computer Science, pages 252–265. Springer, Nov. 1996. [PS00] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361–396, 2000. [RSA78] R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signature and public-key cryptosystems. Communications of the Association for Computing Machinery, 21(2):120–126, 1978. [SPC95] M. Stadler, J.-M. Piveteau, and J. Camenisch. Fair blind signatures. In L. C. Guillou and J.-J. Quisquater, editors, Advances in Cryptology – EUROCRYPT’95, volume 921 of Lecture Notes in Computer Science, pages 209–219. Springer, May 1995. [Wat05] B. R. Waters. Efficient identity-based encryption without random oracles. In R. Cramer, editor, Advances in Cryptology – EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 114–127. Springer, May 2005.
A
Security Proofs for the Revisited Waters Signature on Linear Ciphertexts
Theorem 9. Our variant of the Waters signature scheme is existentially unforgeable under chosen-extendedmessage attacks if the CDH assumption holds. Proof. Let A be an adversary breaking the existential unforgeability of the above signature scheme, i.e. after at most qs signing queries, it succeeds in building a new signature with probability . Let (g, A = g a , B = g b ) be a CDH-instance. We show how an adversary B can compute g ab thanks to A. $
$
SetupS . Pick a random position j ← {0, . . . , k}, choose random indices y0 , y1 , . . . , yk ← {0, . . . , 2qs − 1}, and $ random scalars z0 , z1 , . . . , zk ← Zp . One defines Y = A = g a , h = B = g b , u0 = hy0 −2jqs g z0 , ui = hyi g zi . Signing queries. To answer a signing query on a message M = (Mi ), we define X X H = −2jqs + y0 + y i Mi , J = z 0 + zi Mi : F(M ) = hH g J . i
i 1/H
If H ≡ 0 (mod p) then abort, otherwise set σ = (Y −J/H (Y1 Y2 )−1/H (F(M )R1 R2 )s , Y 1/H g −s , Y1 Defining s˜ = s − a/H, we have: 1/H 1/H σ := Y −J/H (Y1 Y2 )−1/H (hH g J R1 R2 )s , Y 1/H g −s , Y1 R1−s , Y2 R2−s 1/H
= Y −J/H Y −(r1 +r2 )/H (ha g Ja/H g (r1 +r2 )a/H )(F(M )R1 R2 )s˜, Y 1/H g −a/H g −˜s , Y1 = ha (F(M )R1 R2 )s˜, g −˜s , R1−˜s , R2−˜s . 15
1/H
R1−s , Y2
1/H
R1−s , Y2
R2−s
R2−s ).
After at most qs signing queries A outputs a forgery σ ∗ = (σ1∗ , σ2∗ , σ3∗ , σ4∗ ) on M ∗ . As before, we define X X ∗ ∗ H ∗ = −2jqs + y0 + yi Mi∗ , J ∗ = z0 + zi Mi∗ : F(M ∗ ) = hH g J . i
i ∗
∗
∗
∗
If H ∗ 6≡ 0 (mod p) then abort, otherwise, for some s∗ , σ ∗ = (ha (F(M ∗ )R1 R2 )s , g −s , R1−s , R2−s ), and thus ∗ ∗ ∗ ∗ ∗ ∗ ∗ σ ∗ = (ha g J s (R1 R2 )s , g −s , R1−s , R2−s ). As a consequence, σ1∗ (σ2∗ )J σ3 σ4 = ha = g ab : one has solved the CDH problem. Success Probability. (Based on [HK08]) The Waters hash function is (1, δ)-programmable (i.e. we can find with non negligible probability a case where δ intermediate hashes are not√null, and the last one is), therefore t u the previous simulation succeeds with non negligible probability (Θ(/qs k)), and so B breaks CDH. Theorem 10. Our variant of Waters signature on linear ciphertexts is unforgeable (in the UF sense) under the CDH assumption in G. Proof. Let us denote SC our above signature on ciphertexts (but omit it in the subscripts for clarity), and S our variant of Waters signature scheme. We know that the latter is existentially unforgeable against chosenextended-message attacks under the CDH assumption. Let us assume that A is able to break the unforgeability of SC. We will build an adversary B against our variant of Waters signature scheme. We note that B generated the parameters for the commitments for the proof Π of knowledge of M , g r1 and g r2 , so that it can extract the values. – Setup(1k ): we first run the SetupS (1k ) algorithm, from which we get paramS = (p, G, GT , e, g, h, u). We set params = paramS = (p, G, GT , e, g, h, u), and parame = (p, G, GT , e, g). B sets the commitment parameters so that it can extract committed values. $ – EKeyGen(parame ): for each new key request, B chooses two random scalars x1 , x2 ← Zp , which define the secret key dk = (x1 , x2 ), and the public key as pk = (X1 = g x1 , X2 = g x2 ). – SKeyGen(params ): for the unique signing key request, one gets the verification key vkS from our variant of the Waters unforgeability security game. B sets vk = X = vkS . – A can now access a signing oracle, with queries of the form Sign(vk, pk, ·), for any pk and ciphertext of its choice. But the ciphertext looks like c = (c1 , c2 , c3 ) together with Π, that contains CM (with extractable M ), Cr = (C1 , C2 , C3 ) (with extractable g r1 , g r2 and X r1 +r2 ). • If the tuple (c, Π) is not valid, then B returns ⊥; • Otherwise, B can extract M from the bit-by-bit proof of knowledge ΠM , as well as Y1 = X r1 , Y2 = X r2 from Cr and using dk, R1 = cx1 1 , R2 = cr22 . It then queries SignS (skS , M, R1 , R2 , Y1 , Y2 ) to the extended-message signing oracle, and adds (vk, M ) to the SM set. It receives back σ 0 = (σ10 = sk · (F(M )R1 R2 )s , σ20 = g −s , σ30 = R1−s , σ40 = R2−s ). It then returns σ1 = σ30 −x1 = g sr1 x1 = Y1sr1 , σ2 = σ40 −x2 = g sr2 x2 = Y2sr2 , σ3 = σ10 = sk · F(M )s · g s(r1 +r2 ) , σ= . σ4 = σ20 −x1 = g sx1 = X1s , σ5 = σ20 −x2 = g sx2 = X2s , σ6 = σ20 −1 = g s – After a polynomial number of queries, A outputs, with non-negligible probability, a valid signature σ on a valid ciphertext (c, Π). As above, from Π and the extraction key, B can extract the message M . For a valid forgery, one needs M 6= ⊥ and (M, vk) 6∈ SM. Again, from Π, the extraction key and the commitment key, B can obtain (R1 , R2 , Y1 , Y2 ). One sets σB = (Σ1 = sk(F(M )R1 R2 )s ,
Σ2 = σ6−1 = g −s ,
1/x1
Σ3 = σ1
= R1s ,
1/x2
Σ4 = σ2
= R2s ).
And so (M, R1 , R2 , Y1 , Y2 , σB ) is a valid forgery. This breaks the security of our variant of the Waters signature scheme, that holds under the CDH assumption. t u 16
B B.1
Basic Waters Signature on Linear Ciphertexts Groth-Sahai Commitments
In the following, several elements (group elements or scalars) will have to be committed so that proofs can be done on them. We will use Groth-Sahai commitments that are secure under the DLin assumption: they need a pairing-friendly environment (p, G, GT , e, g), where e : G × G → GT is an admissible bilinear map, for two groups G and GT , of prime order p, generated by g and gt = e(g, g) respectively. The commitment key is of the form (u1 = (u1,1 , 1, g), u2 = (1, u2,2 , g), u3 = (u3,1 , u3,2 , u3,3 )) ∈ (G3 )3 . Initialization of the parameters $ should be: u3 = uλ1 uµ2 = (u3,1 = uλ1,1 , u3,2 = uµ2,2 , u3,3 = g λ+µ ) with λ, µ ← Z∗p , and random elements $
u1,1 , u2,2 ← G, which means that u3 is a linear tuple wrt (u1,1 , u2,2 , g). Group-Element Commitment. To commit a group element X ∈ G, one chooses random coins s1 , s2 , s3 ∈ Zp 3 3 2 3 1 ). , X · g s1 +s2 · us3,3 · us3,2 , us2,2 · us3,1 and sets C(X) := (1, 1, X) us11 us22 us33 = (us1,1 – For a correct initialization of the commitment key (u3 is a linear tuple), we can re-write C(X) as C(X) = (ua1,1 , ub2,2 , X · g a+b ), for a = s1 + λs3 and b = s2 + µs3 . This is a linear encryption of X under the key (u1,1 , u2,2 ) (see below). We thus have a perfectly binding commitment scheme, whereas it is hiding under the DLin assumption. A simulator that knows the discrete logarithms of u1,1 and u2,2 in basis g (the decryption key of the linear encryption) can extract X. – In the case that u3 is a random tuple (random initialization), u3 = (u3,1 = uλ1,1 , u3,2 = uµ2,2 , u3,3 = g κ ), then we can re-write C(X) as C(X) = (ua1,1 , ub2,2 , X ·g c ), for a = s1 +λs3 , b = s2 +µs3 , and c = s1 +s2 +κs3 . It perfectly blinds X. Scalar Commitment. To commit a scalar x ∈ Zp , one chooses random coins γ1 , γ2 ∈ Zp and sets C 0 (x) := x+γ2 2 1 2 (ux3,1 , ux3,2 , (u3,3 g)x ) uγ11 uγ32 = (ux+γ · uγ1,1 , ux+γ · g x+γ1 ). 3,1 3,2 , u3,3 – For a correct initialization of the commitment key (u3 is a linear tuple), we can re-write C 0 (x) as C 0 (x) = (ua1,1 , ub2,2 , g x · g a+b ), for a = λ(x + γ2 ) + γ1 and b = µ(x + γ2 ). This is a linear encryption of g x under the key (u1,1 , u2,2 ), as above. A simulator that knows the discrete logarithms of u1,1 and u2,2 in basis g can extract g x . In the case x is small (a bit), one can then extract x. Note that this commitment scheme is homomorphic: the product of C 0 (x) and C 0 (y) is a commitment of x + y mod p. – In the case that u3 is a random tuple (random initialization), u3 = (u3,1 = uλ1,1 , u3,2 = uµ2,2 , u3,3 = g κ ), then we can re-write C 0 (x) as C 0 (x) = (ua1,1 , ub2,2 , g x · g c ), for a = λ(x + γ2 ) + γ1 , b = µ(x + γ2 ), and c = γ1 + κ(x + γ2 ). It perfectly blinds x. Proofs. Under the DLin assumption, the two initializations of the commitment key (linear tuple or random tuple) are indistinguishable. The former initialization provides a perfectly binding commitment and perfectly sound proofs, whereas the latter provides a perfectly hiding commitment and perfectly witness hiding proofs. Relations are of three types, depending on the place of the commitments in the pairings. We thus use notation hxi for a committed scalar x (or hXi for a committed group element X). More details can be found in [GS08]: – Multi-scalar multiplications equations: hX r1 +r2 i = X hr1 i+hr2 i , to prove that the committed group element is equal to X raised to the sum of the committed scalars r1 and r2 ; hr i – Linear multi-scalar multiplications equations: X1 1 = c1 , to prove that the committed scalar r1 is the one used in c1 ; – Quadratic equations: hxi(hxi − 1) = 0, to show that a committed scalar x is a bit. 17
In multi-scalar multiplication equations, the matrix containing the proof elements is composed of 9 group elements. Note that some optimizations can be made if we have linear equations. Quadratic equations require 6 elements only: Assumption: DLin Commitments Multi-scalar multiplication equations - Linear multi-scalar multiplication equations Quadratic equations B.2
G 3 9 2 6
Waters Signatures
The Waters signature scheme is defined by the four algorithms. – Setup(1k ): The scheme needs a pairing-friendly environment (p, G, GT , e, g), where e : G × G → GT is an admissible bilinear map, for two groups G and GT , of prime order p, generated by g and gt = e(g, g) respectively. $ We will sign messages M = (M1 , . . . , Mk ) ∈ {0, 1}k . To this aim, we need u = (u0 , . . . , uk ) ← Qk a vector Mi k+1 G , and for convenience, we denote the Waters’ Hash as F(M ) = u0 i=1 ui . We also need an addi$ tional generator h ← G. The global parameters param consist of all these elements (p, G, GT , e, g, h, u). $ – SKeyGen(param): Choose a random scalar x ← Zp , which defines the public key as vk = X = g x , and the secret key as sk = Y = hx . $ – Sign(sk = Y, M ; s): For some random s ← Zp , define the signature as σ = σ1 = Y · F(M )s , σ2 = g −s . – Verif(vk = X, M, σ): One checks whether e(g, σ1 ) · e(F(M ), σ2 ) = e(X, h). As shown by Waters [Wat05], this scheme is existentially unforgeable against chosen-message attacks (EUFCMA) under the hardness of CDH. We note that signing and verifying can be performed without knowing the message M itself, it suffices to have F = F(M ). Nevertheless, appropriate proofs of knowledge of M are required for the unforgeability security. We can thus replace M by the pair (F, ΠM ) in both the signing and verifying algorithms. Since we are looking for randomizable signatures and encryption, we will use proofs in the Groth-Sahai framework, with a commitment CM of M (bit-by-bit to make it extractable: CM = (C 0 (M1 ), . . . , C 0 (Mk ))) and a proof that F is actually the evaluation of F on the committed M [FP09]. Theorem 11. The Waters signature scheme is randomizable when we define, for valid signature σ and for $ random s ← Zp – Random(vk, (F, ΠM ), σ = (σ1 , σ2 ); s) outputs σ 0 = (σ1 · F s , σ2 · g −s ). Proof. It is clear that the following works: σ = Sign(sk, (F, ΠM ); s)
⇒
Random(vk, (F, ΠM ), σ; s0 ) = Sign(sk, (F, ΠM ); s + s0 mod p).
Due to the group structure of the random coins space, the re-randomization algorithm provides the correct distribution. B.3
Linear Encryption
Linear encryption is defined by the four algorithms. – Setup(1k ): The scheme needs a pairing-friendly environment (p, G, GT , e, g), where e : G × G → GT is an admissible bilinear map, for two groups G and GT , of prime order p, generated by g and gt = e(g, g) respectively. The global parameters param consist of these elements (p, G, GT , e, g). 18
$
– EKeyGen(param): Choose two random scalars x1 , x2 ← Zp , which define the secret key dk = (x1 , x2 ), and the public key as pk = (X1 = g x1 , X2 = g x2 ). $ – Encrypt(pk = (X1 , X2 ), M ; r1 , r2 ): For a message M ∈ G and random scalars r1 , r2 ← Zp , define the r2 r1 r +r ciphertext as c = c1 = X1 , c2 = X2 , c3 = g 1 2 · M . 1/x 1/x – Decrypt(dk = (x1 , x2 ), c = (c1 , c2 , c3 )): One computes M = c3 /(c1 1 c2 2 ). As shown by Boneh, Boyen and Shacham [BBS04], this scheme is semantically secure against chosen-plaintext attacks (IND-CPA) under the hardness of DLin. Theorem 12. The linear encryption scheme is randomizable when we define: r0
r0
0
0
– Random(pk, M, c = (c1 , c2 , c3 ); r10 , r20 ) outputs c0 = (c1 · X1 1 , c2 · X2 2 , c3 · g r1 +r2 ), for random scalars $ r10 , r20 ← Zp Proof. It is clear that the following is a valid randomization: c = (c1 , c2 , c3 ) = Encrypt(pk, M ; r1 , r2 ) ⇒ Random(pk, c; r10 , r20 ) = Encrypt(pk, M ; r1 + r10 mod p, r2 + r20 mod p) . B.4
t u
Signature on Encrypted Messages
We are now ready to generate a signature on an encryption of F(M ). But as already explained, the signature scheme remains unforgeable on F with an additional proof of knowledge ΠM of M such that F = F(M ). – Setup(1k ): The scheme needs a pairing-friendly environment (p, G, GT , e, g), where e : G × G → GT is an admissible bilinear map, for two groups G and GT , of prime order p, generated by g and gt = e(g, g) $ respectively. For the signing part, we need an additional vector u = (u0 , . . . , uk ) ← Gk+1 , and a generator $ h ← G. The parameters parame for the encryption part consist of (p, G, GT , e, g), whereas the parameters params for the signing part consist of (p, G, GT , e, g, h, u). $ – EKeyGen(parame ): Choose two random scalars x1 , x2 ← Zp , which define the secret key dk = (x1 , x2 ), and the public key as pk = (X1 = g x1 , X2 = g x2 ). $ – SKeyGen(params ): Choose a random scalar x ← Zp , which defines the public key as vk = X = g x , and the secret key as sk = Y = hx . – Encrypt(pk = (X1 , X2 ), vk = X, M ; (r1 , r2 )): For a message M ∈ {0, 1}k and random scalars r1 , r2 ∈ Zp , define the ciphertext as c = c1 = X1r1 , c2 = X2r2 , c3 = g r1 +r2 · F(M ) . To guarantee our notion of unforgeability of signatures on ciphertexts, we also add some proofs of validity of the ciphertext: • A proof Πr of knowledge of r1 and r2 , used to encrypt F(M ), which consists of bit-by-bit commitments C1 = (C 0 (r1,1 ), . . . , C 0 (r1,` )) and C2 = (C 0 (r2,1 ), . . . , C 0 (r2,` )), where ` is the bit-length of the order p, and proofs that each sub-commitment is indeed a bit commitment: as explained above, each sub-commitment with the quadratic-equation proof of bit requires 6 group elements. One then hr i hr i has to prove that c1 and c2 are well-formed w.r.t. these commitments: c1 = X1 1 and c2 = X2 2 , P Q j−1 where C 0 (ri ) = C 0 ( j∈{1,...,`} 2j−1 ri,j ) = j∈{1,...,`} C 0 (ri,j )2 . These linear multi-scalar multiplication equation proofs require 2 group elements each. Globally, Πr is composed of 18` + 4 group elements. • A proof ΠM of knowledge of M in c, the encrypted F(M ), which consists of a bit-by-bit commitment CM = (C 0 (M1 ), . . . , C 0 (Mk )), with proofs that each commitment is also indeed a bit commitment: 6k Q hM i group elements. One then has to prove that c3 is well-formed: c3 = (u0 i∈{1,...,k} ui i ) · g hr1 i+hr2 i , which is a linear multi-scalar multiplication equation proof: 2 additional group elements. Therefore ΠM is composed of 9k + 2 group elements. 19
As a consequence, the global proof, that we denote by Π for the sake of clarity, can be done with randomizable commitments and proofs, using the Groth-Sahai methodology [GS08, FP09], and consists of 9k + 18` + 6 group elements. – Sign(sk = Y, pk = (X1 , X2 ), (c = (c1 , c2 , c3 ), Π); s): When one wants to sign a ciphertext c = (c1 , c2 , c3 ), one first checks if the latter is valid, using Π, and produces σ = (cs1 , cs2 , Y · cs3 ; X1s , X2s , g s ). The second part (X1s , X2s , g s ) will enable randomization. – Decrypt(dk = (x1 , x2 ), vk = X, (c = (c1 , c2 , c3 ), Π)): On a valid ciphertext (one can check with Π), if one knows the decryption key dk = (x1 , x2 ), one can get back F = F(M ), and one can also complete the 1/x 1/x proof Π into a proof of knowledge of M : F = c3 /(c1 1 c2 2 ). – Verif(vk = X, pk = (X1 , X2 ), (c = (c1 , c2 , c3 ), Π), σ = (σ1 , σ2 , σ3 ; σ4 , σ5 , σ6 )): In order to check the validity of the signature, one first checks whether the proof on the ciphertext is valid and whether the following pairing equations are verified: e(σ3 , g) = e(g, vk) · e(c3 , σ6 ) and e(σ1 , X1 ) = e(c1 , σ4 )
e(σ2 , X2 ) = e(c2 , σ5 )
e(σ1 , g) = e(c1 , σ6 )
e(σ2 , g) = e(c2 , σ6 )
Theorem 13. The Waters signature on linear ciphertexts is extractable when one defines – SigExt(dk = (x1 , x2 ), vk = X, σ): On a valid signature, if one knows the decryption key dk = (x1 , x2 )), 1/x 1/x one can get back a signature on M (or F = F(M )): Σ = (Σ1 = σ3 /(σ1 1 σ2 2 ), Σ2 = σ6−1 ). Note that one can also get the same value from the coins for encryption r1 , r2 : Σ = (Σ1 = σ3 /σ6r1 +r2 , Σ2 = σ6−1 ). Proof. The proof follows from the fact that 1/x1 1/x2 σ2 ) −s
Σ1 = σ3 /(σ1
Σ2 = σ6−1 = g
s/x1 s/x2 c2 )
= Y · cs3 /(c1
= Y · g s(r1 +r2 ) · F(M )s /g sr1 g sr2 = Y · F(M )s ,
.
t u Theorem 14. The Waters signature on linear ciphertexts is randomizable when one defines – Random(vk = X, pk = (X1 , X2 ), (c = (c1 , c2 , c3 ), Π), σ = (σ1 , σ2 , σ3 ; σ4 , σ5 , σ6 ); r10 , r20 , s0 ): In order to randomize the signature and the ciphertext, the algorithm outputs: r0
r0
0
0
c0 = (c1 · X1 1 , c2 · X2 2 , c3 · g r1 +r2 ) 0
r0
r 0 s0
0
r0
r 0 s0
0
r0 +r20
σ 0 = (σ1 · cs1 × σ41 · X1 1 , σ2 · cs2 × σ52 · X2 2 , σ3 · cs3 × σ61
0
0
0
0
0
0
· g (r1 +r2 )s ; σ4 · X1s , σ5 · X2s , σ6 · g s )
together with a randomization Π 0 of Π. Proof. On the input (vk = X, pk = (X1 , X2 ), (c = (c1 , c2 , c3 ), Π), σ = (σ1 , σ2 , σ3 ; σ4 , σ5 , σ6 ); r10 , r20 , s0 ), where for some random scalars s, r1 , r2 ∈ Zp , c = (c1 = X1r1 , c2 = X2r2 , c3 = g r1 +r2 · F(M )) σ = (cs1 = X1r1 s , cs2 = X2r2 s , Y · cs3 = Y · g (r1 +r2 )s · F(M )s ; X1s , X2s , g s ) 20
the algorithm outputs (where R1 = r1 + r10 , R2 = r2 + r20 and S = s + s0 ): r0
r +r10
c0 = (c1 · X1 1 = X1 1
r0
r +r20
, c2 · X2 2 = X2 2
0
0
0
0
, c3 · g r1 +r2 = g r1 +r1 +r2 +r2 · F(M ))
= (X1R1 , X2R2 , g R1 +R2 · F(M )) 0
r0
r 0 s0
0
r0 s
r0
0
r 0 s0
r0 +r20
0
0
σ 0 = (σ1 · cs1 × σ41 · X1 1 , σ2 · cs2 × σ52 · X2 2 , σ3 · cs3 × σ61 r 0 s0
r0 s
0
0
0
0
0
0
· g (r1 +r2 )s ; σ4 · X1s , σ5 · X2s , σ6 · g s )
r 0 s0
= (X1r1 s · X1r1 s × X1 1 · X1 1 , X2r2 s · X2r2 s × X2 2 · X2 2 , 0
0
0
0
0
0
0
0
0
0
0
0
0
Y · F(M )s · g (r1 +r2 )s · F(M )s · g (r1 +r2 )s × g (r1 +r2 )s · g (r1 +r2 )s ; X1s+s , X2s+s , g s+s ) (r1 +r10 )(s+s0 )
= (X1
(r2 +r20 )(s+s0 )
, X2
0
0
0
0
, Y · F(M )s+s · g (r1 +r2 +r1 +r2 )(s+s ) ; X1s+s , X2s+s , g s+s ) S
S
S
= (X1R1 S , X2R2 S , Y · F(M )S · g (R1 +R2 )S ; X1S , X2S , g S ) = (c01 , c02 , Y · c03 ; X1S , X2S , g S ). We thus have Random(vk, pk, c, σ; r10 , r20 , s0 ) = Sign(sk, pk, c0 ; s + s0 ), where c0 = Encrypt(pk, vk, M ; r1 + r10 , r2 + r20 ). t u Theorem 15. The Waters signature on linear ciphertexts is unforgeable (in the UF sense) under the CDH assumption in G. Proof. Let us denote SC our above signature on ciphertexts (but omit it in the subscripts for clarity), and S the Waters signature scheme. We know that the latter is existentially unforgeable under the CDH assumption. Let us assume that A is able to break the unforgeability of SC. We will build an adversary B against that Waters signature scheme. We note that B generated the parameters for the commitments for the proof Π of knowledge of M , r1 and r2 , so that it can extract the values. – Setup(1k ): we first run the SetupS (1k ) algorithm, from which we get paramS = (p, G, GT , e, g, h, u). We set params = paramS = (p, G, GT , e, g, h, u), and parame = (p, G, GT , e, g). B sets the commitment parameters so that it can extract committed values. $ – EKeyGen(parame ): for each new key request, B chooses two random scalars x1 , x2 ← Zp , which define the secret key dk = (x1 , x2 ), and the public key as pk = (X1 = g x1 , X2 = g x2 ). – SKeyGen(params ): for the unique signing key request, one gets the verification key vkS from the Waters EUF-CMA security game. B sets vk = vkS . – A can now access a signing oracle, with queries of the form Sign(vk, pk, ·), for any pk and ciphertext of its choice. But the ciphertext looks like c = (c1 , c2 , c3 ) together with Π = (ΠM , Πr ). • If the tuple (c, Π) is not valid, then B returns ⊥; • Otherwise, B can extract M from the proof of knowledge ΠM , that contains a bit-by-bit extractable commitment CM of M . It then queries SignS (skS , M ) to the signing oracle, and adds (vk, M ) to the SM set. It receives back σ 0 = (σ10 = sk · F(M )s , σ20 = g −s ). B can also extract r1 and r2 from the bit-by-bit commitments C1 and C2 included in the proof Πr of knowledge of r1 and r2 . It then returns the signature σ defined as σ1 = σ20 −r1 x1 = g sr1 x1 = X1sr1 , σ2 = σ20 −r2 x2 = X2sr2 , σ3 = σ10 σ20 −r1 −r2 = sk · F(M )s · g s(r1 +r2 ) , σ4 = σ20 −x1 = g sx1 = X1s , σ5 = σ20 −x2 = g sx2 = X2s , σ6 = σ20 −1 = g s – After a polynomial number of queries, A outputs, with non-negligible probability, a valid signature σ on a valid ciphertext (c, Π). As above, one can extract the message M , and for a valid forgery, one needs M 6= ⊥ and (M, vk) 6∈ SM. Using SigExt, as shown above, one thus gets a valid Waters signature on M : 1/x 1/x σB = (σ3 /(σ1 1 σ2 2 ) = sk · F(M )s , σ6−1 = g −s ). This breaks the EUF-CMA property of the Waters signature scheme, that holds under the CDH assumption. t u 21
C
Asymmetric Waters Signature on ElGamal Ciphertexts
As symmetric bilinear groups are in general less efficient than asymmetric groups, we show how to instantiate our primitive with ElGamal encryption in an asymmetric pairing setting, relying on the SXDH assumption. As for the previous DLin-based scheme, we need to modify the Waters signature to make the resulting scheme more efficient. But first, we have to adapt the Waters signature to the asymmetric setting. C.1
Assumptions
The security of Waters signatures in asymmetric bilinear groups can be proved under the following variant of the CDH assumption, which states that CDH is hard in G1 when one of the random scalars is also given as an exponentiation in G2 . Definition 16 (The Advanced Computational Diffie-Hellman problem (CDH+ )). Let us be given two (multiplicative) groups (G1 , G2 ) of prime order p with (g1 , g2 ) as respective generators and e an admissible bilinear map G1 × G2 → GT . The CDH+ assumption states that given (g1 , g2 , g1a , g2a , g1b ), for random a, b ∈ Zp , it is hard to compute g1ab . ElGamal encryption is secure under the DDH assumption; since we will use it in both groups G1 and G2 , we assume SXDH, defined below. In the asymmetric setting, the ElGamal requires the DDH assumption: Definition 17 (Decisional Diffie-Hellman Assumption (DDH)). Let G be a cyclic group of prime order p. The DDH assumption states that given (g, g a , g b , g c ) ∈ G, it is hard to determine whether c = ab. Definition 18 (Symmetric external Diffie-Hellman Assumption (SXDH) [BBS04]). Let G1 , G2 be cyclic groups of prime order, e : G1 × G2 → GT be a bilinear map. The SXDH assumption states that the DDH assumption holds in both G1 and G2 . C.2
Groth-Sahai Commitments
As above, several elements (group elements or scalars) will have to be committed so that proofs can be done on them. We will use SXDH-based Groth-Sahai commitments: they require a bilinear group (p, G1 , G2 , GT , e, g1 , g2 ), where e : G1 × G2 → GT is an admissible bilinear map, for three groups G1 , G2 and GT , of prime order p, generated by g1 , g2 and gt = e(g1 , g2 ) respectively. The commitment key consists of u1 = (u1,1 , u1,2 ) , u2 = (u2,1 , u2,2 ) ∈ G12 and v1 = (v1,1 , v1,2 ) , v2 = (v2,1 , v2,2 ) ∈ G22 ; we write u1 u1,1 u1,2 v1 v1,1 v1,2 u= = and v = = . u2 u2,1 u2,2 v2 v2,1 v2,2 Initialization of the parameters should be: u1 = (g1 , u) with u = g1λ and u2 = u1 µ with λ, µ ← Z∗p , which means that u is a Diffie-Hellman tuple in G1 , since u1 = (g1 , g1λ ) and u2 = (g1µ , g1λµ ). In the hiding setting, we will use instead u2 = u1 µ (1, g1 )−1 : u1 = (g1 , g1λ ) and u2 = (g1µ , g1λµ−1 ). And it is the same in G2 for v. $
Group Element Commitment. To commit to X ∈ G1 , one chooses randomness s1 , s2 ∈ Zp and sets C(X) = 1 2 1 2 (1, X) us11 us22 = (us1,1 · us2,1 , X · us1,2 · us2,2 ). – For a correct initialization of the commitment key, we can re-write C(X) as C(X) = (g1a , X · ua ), for a = s1 + µs2 . This is an ElGamal encryption of X under the key (u1,1 = g1 , u1,2 = u = g1λ ) (see below). A simulator that knows the discrete logarithm λ of u in basis g1 can extract X. – In the case that u2 = u1 µ (1, g1 )−1 = (uµ1,1 , uµ1,2 /g1 ), we can re-write C(X) as C(X) = (g1a , X/g1b · ua ), for a = s1 + µs2 , b = s1 , two random independent values: this is an encryption of X/g1b , for a random b. It thus perfectly blinds X. The commitment in G2 follows the same rules, with v and g2 instead of u and g1 . 22
Scalar Commitment. To commit to x ∈ Zp in G1 , one chooses γ ∈ Zp and sets C 0 (x) = (ux2,1 , (u2,2 g1 )x ) uγ1 = (uγ1,1 ux2,1 , uγ1,2 (u2,2 g1 )x ). – For a correct initialization of the commitment key, we can re-write C10 (X) as C10 (x) = (g1a , g1x · ua ), for a = γ + µx. This is an ElGamal encryption of g1x under the key (u1,1 = g1 , u1,2 = u = g1λ ) (see below). A simulator that knows the discrete logarithm λ of u in basis g1 can extract g1x . In the case x is small (a bit), one can then extract x. Note that this commitment scheme is homomorphic: the product of C10 (x) and C10 (y) is a commitment of x + y mod p. γ+µx – In the case that u2 = u1 µ (1, g1 )−1 = (uµ1,1 , uµ1,2 /g1 ), we can re-write C10 (X) as C10 (X) = (uγ+µx 1,1 , u1,2 ) = (g1a , ua ), for a = γ + µx. It perfectly blinds x. The same things can be done with C20 , v in G2 Proofs. Under the SXDH assumption, the two initializations of the commitment key (perfectly binding or perfectly hiding) are indistinguishable. The former provides perfectly sound proofs, whereas the latter provides 2×2 perfectly witness hiding proofs. A Groth-Sahai proof, is a pair of elements (π, θ) ∈ G2×2 1 ×G2 . These elements are constructed to help verifying pairing relations on committed values. Being able to produce a valid pair implies knowing plaintexts verifying the appropriate relation. As above, we will note hxi1 for a committed scalar x in G1 , hxi2 for a committed scalar x in G2 ,(or hXi for a committed group element X). We will use: hri
– Linear Pairing Product equations: e(hX1r i, g2 ) = e(g1 1 , X2 ), to prove that the group element commit ed, is the public key raised to the value of the committed scalar in G1 . hri – Multi-scalar multiplications equations in G1 : hX1r i = X1 2 , to prove the group element, committed in G1 , is equal to X1 raised to the value of the scalar committed in G2 . hri – Linear Multi-scalar multiplications equations in G1 : c = U1 2 , to prove the group element c (in G1 ), equal to U1 raised to the committed scalar r. – Quadratic equations: hxi1 (hx0 i2 − 1) = 0, to show that a committed scalar x is truly a bit ∈ {0, 1}. (This equation with its symmetric are enough to prove that if x is committed in G1 and x0 in G2 we have : x = x0 and x ∈ {0, 1} Multi-scalar multiplication equations will require group elements (2 in G1 , 4 in G2 ), whereas quadratic equations will only require two in each. Once again, some additional optimizations can be made if we have linear equations: Assumption: SXDH Commitments Linear Pairing Product equations Multi-scalar multiplication equations in G1 - Linear Multi-scalar multiplication equations in G1 Quadratic equations
G1 G2 2 or 2 0 2 2 4 1 0 2 2
One has to pay attention to the fact, that Groth-Sahai bit-by-bit proofs in SXDH require bits to be committed both in G1 and G2 and so require to use 2 quadratic equations by bit. C.3
Asymmetric Waters Signature Scheme
First, we present a result that is of independent interest: the asymmetric Waters signature. – Setup(1k ): The scheme needs a pairing-friendly environment (p, G1 , G2 , GT , e, g1 , g2 ), where e : G1 ×G2 → GT is an admissible bilinear map, for groups G1 , G2 and GT , of prime order p, generated by g1 , g2 and gt = e(g1 , g2 ) respectively. We will sign messages M = (M1 , . . . , Mk ) ∈ {0, 1}k . To this aim, we need a vector 23
Qk $ Mi u = (u0 , . . . , uk ) ← Gk+1 1 , and for convenience, we denote the Waters Hash as F(M ) = u0 i=1 ui . We $ also need an additional generator h1 ← G1 . The global parameters param consist of all these elements (p, G1 , G2 , GT , e, g1 , g2 , h1 , u). $ – SKeyGen(param): Choose a random scalar x ← Zp , which defines the public key as vk = (X1 , X2 ) = x x x (g1 , g2 ), and the secret key as sk = Y = h1 . $ – Sign(sk = Y, M ; s): For some random s ← Zp , define the signature as σ = σ1 = Y (F(M ))s , σ2 = −s −s g1 , σ3 = g2 ). – Verif(vk = (X1 , X2 ), M, σ): One checks whether e(σ1 , g2 ) · e(F(M ), σ3 ) = e(h1 , X2 ), and e(σ2 , g2 ) = e(g1 , σ3 ). As for the original scheme, signing and verifying can be performed when F = F(M ) is given instead of M . For both algorithms, we can replace M by (F(M ), ΠM ). In addition, to verify a signature, only the second component X2 of the public key is used. We could define a scheme with public keys vk = X2 and prove it secure under a slightly weaker assumption. However, we defined the scheme with keys of the form (X1 , X2 ) since we require it for signatures on encrypted messages (see the next section). Theorem 19. The Asymmetric Waters signature scheme is randomizable and existentially unforgeable under the CDH+ assumption. 0
0
0
Proof. First, let us define Random(vk, (F, ΠM ), σ = (σ1 , σ2 , σ3 ); s0 ) to output σ 0 = (σ1 · F s , σ2 · g1−s , σ3 · g2−s ), $ for random s0 ← Zp . We easily see it corresponds to Sign(sk, F, ΠM ; s + s0 mod p). Because of the group structure of Zp , we get appropriate distributions. Let A be an adversary breaking the existential unforgeability of the above signature scheme, i.e. after at most qs signing queries, it succeeds in building a new signature with probability . Let (g1 , g2 , λ = (g1a , g2a ), µ = g1b ) be an CDH+ -instance. We show how an adversary B can compute g1ab thanks to A. $
$
SetupS . Pick a random position j ← {0, . . . , k}, choose random indices y0 , y1 , . . . , yk ← {0, . . . , 2qs − 1}, and $ random scalars z0 , z1 , . . . , zk ← Zp . One defines X1 = g1a , X2 = g2a , h1 = g1b , u0 = hy10 −2jqs g z0 , ui = hy1i g1zi . Signing queries. To answer a signing query on m, with a message M = (Mi ), we define X X J H = −2jqs + y0 + y i Mi , J = z 0 + zi Mi : F(M ) = hH 1 g1 . i
i −J/H
If H ≡ 0 (mod p) then abort, otherwise set σ = (X1 we have: −J/H
1/H −s g2 −J/H a Ja/H 1/H −a/H −˜ X1 (h1 g1 )(F(M ))s˜, X1 g1 g1 s , ha1 (F(M ))s˜, g1−˜s , g2−˜s .
σ := X1 = =
1/H −s g1 ,
1/H −s 1/H g1 , X2 g2−s ).
F(M )s , X1
J s (hH 1 g1 ) , X 1
Defining s˜ = s − a/H,
X2
1/H −a/H −˜ g2 g2 s
X2
After at most qs signing queries A outputs a forgery σ ∗ = (σ1∗ , σ2∗ , σ3∗ ) on M ∗ . As before, we define X X ∗ J∗ H ∗ = −2jqs + y0 + yi Mi∗ , J ∗ = z0 + zi Mi∗ : F(M ∗ ) = hH 1 g1 . i
i ∗
∗
∗
If H ∗ 6≡ 0 (mod p) then abort, otherwise, as shown above, for some s∗ , σ ∗ = (ha1 F(M ∗ )s , g1−s , g2−s ), and ∗ ∗ ∗ ∗ ∗ thus σ ∗ = (ha1 g1J s , g1−s , g2−s ). As a consequence, σ1∗ (σ2∗ )J = ha1 = g1ab : one has solved the CDH+ problem. As above, the latter case occurs with good probability. t u 24
C.4
ElGamal Encryption
ElGamal encryption is defined by the four algorithms. – Setup(1k ): The scheme needs a pairing-friendly system (G1 , G2 , GT , p, e), with respective generators g1 , g2 and gt = e(g1 , g2 ). – EKeyGen(param): One chooses a scalar α which defines U1 = g1α . (We can do the same in G2 with a scalar β which defines U2 = g2β ). – Encrypt(pk = u1 , M ; r): The algorithm is given a random r ∈ Zp and publishes c = (c1 = F(M ) · U1r , c2 = g1r ). – Decrypt(dk = α, c = (c1 , c2 )): One computes F(M ) = c1 /cα2 . This scheme is semantically secure against chosen-plaintext attacks (IND-CPA) under the hardness of DDH in the appropriate group. Theorem 20. The ElGamal encryption scheme is randomizable when we define 0
0
– Random(pk, M, c = (c1 , c2 ); r0 ) outputs c0 = (c1 · U1r , c2 · g1r ), for a random scalar r0 ← Zp $
Proof. It is clear that this is a valid re-randomization, due to the group structure of Zp : c = Encrypt(pk, M ; r) ⇒ Random(pk, c; r0 ) = Encrypt(pk, M ; r + r0 ). t u C.5
Signature on Encrypted Messages
We now want to generate a signature on an encryption of F(M ). But as already explained, the signature scheme remains unforgeable on F with an additional proof of knowledge ΠM of M such that F = F(M ). – Setup(1k ): The system generates a pairing-friendly system (G1 , G2 , GT , p, e), with respective generators $ g1 , g2 and gt = e(g1 , g2 ). For the signing part, we need an additional vector u = (u0 , . . . , uk ) ← Gk+1 1 , $ and a generator h1 ← G1 . $ – EKeyGen(parame ): Choose a random scalar α ← Zp , which defines the secret key dk = α, and the public key as pk = U1 = g1α . $ – SKeyGen(params ): Choose a random scalar x ← Zp , which defines the public key as vk = (X1 = g1x , X2 = x x g2 ), and the secret key as sk = Y = h1 . – Encrypt(pk, vk, M ; r): For some message M ∈ {0, 1}k and some random scalar r ∈ Zp , define the ciphertext as c = (F(M ) · U1r , g1r ). For making the security proof work, we also add some proofs of validity of the ciphertext: • A proof Πr of knowledge of r, used to encrypt F(M ), which consists of the bit-commitments in both groups G1 and G2 , C1 = (C10 (r1 ), . . . , C10 (r` ), C20 (r1 ), . . . , C20 (r1,` )), where ` is the bit-length of the order p, and proofs that each sub-commitments if indeed a bit commitment: they correspond to two quadratic equations, and consist each of 2 group elements in G1 and 2 group elements in G2 for each hri bit. One then has to prove that c2 is well-formed w.r.t. these commitments, c2 = U1 2 , where the commitment of r can be obtained as above granted the homomorphic property. This equation is a linear multi-scalar multiplication equation in G1 , requiring 1 group element in G1 . Therefore Πr is composed of 6` + 1 group elements in G1 and 6` in G2 . 25
• A proof ΠM of knowledge of M in c, the encrypted F(M ), which consists of the bit-commitments in both groups G1 and G2 , CM = (C10 (M1 ), . . . , C10 (Mk ), C20 (M1 ), . . . , C20 (Mk )), with proofs that each commitment is also indeed a bit commitment: 6k group elements in G1 and 6k in G2 . One then Q hM i hri has to prove that c1 is well-formed: c1 = (u0 i∈[1,k] ui i 2 ) · U1 2 , which is a linear multi-scalar multiplication equation in G1 , and so only needs 1 extra group element in G1 . Therefore ΠM is composed of 6k + 1 elements in G1 and 6k group elements in G2 . As above, for the sake of clarity, we denote by Π the global additional proof, which consists of 6k + 6` + 2 group elements in G1 and 6k + 6` group elements in G2 . – Sign(sk = Y, pk = U1 , (c = (c1 , c2 ), Π); s): When one wants to sign a ciphertext c = (c1 , c2 ), one first checks if the latter is valid using Π and produces: σ = (Y · cs1 , cs2 , U1s , g1s , g2s ) if it is valid or ⊥ in the other case. – Random(vk = (X1 , X2 ), pk = U1 , (c = (c1 , c2 ), Π), σ; r0 , s0 ): This algorithm is given random scalars r0 , s0 ∈ Zp and publishes 0
0
c0 = (c01 = c1 · U1r , c02 = c2 · g1r ) 0
0
0 0
0
0
0 0
0
0
0
σ 0 = (σ10 = σ1 · cs1 · σ3r · U1s r , σ20 = σ2 · cs2 · σ4r · g1r s , σ30 = σ3 · U1s , σ40 = σ4 · g1s , σ50 = σ5 · g2s ), together with a randomization Π 0 of Π. – Verif(vk = (X1 , X2 ), pk = U1 , c, σ): In order to check the validity of the signature, one checks if Π is valid and if the following pairing equations are verified: e(σ2 , g2 ) = e(c2 , σ5 )
e(σ3 , g2 ) = e(U1 , σ5 )
e(σ1 , g2 ) = e(h1 , X2 ) · (c1 , σ5 ).
e(σ4 , g2 ) = e(g1 , σ5 )
– SigExt(dk, vk, σ): On a valid signature, if one knows the decryption key dk = α, one can get back a signature on M (of F = F(M )): Σ = (Σ1 = σ1 /σ2α , Σ2 = σ4−1 , Σ3 = σ4−1 ). Note that one can also get the same value from the encryption random coins r, since Σ1 = σ1 /U1r . Theorem 21. The Asymmetric Waters signature on ElGamal ciphertexts is randomizable. Proof. Let’s show that Random(vk, pk, c, σ; r0 , s0 ) is a valid randomization. We have: 0
0
0
0
0 0
0
0
0
0 0
0
(s+s0 )(r+r0 )
σ10 = σ1 · cs1 · σ3r · U1s r = (Y · F(M )s · U1sr ) · (F(M )s · U1s r ) · U1sr · U1s r = Y · F(M )s+s · U1 0 0
0
0
(s+s0 )(r+r0 )
0 0
σ20 = σ2 · cs2 · σ4r · g1s r = g1sr · g1s r · g1sr · g1s r = g1 0
σ30 = σ3 · U1s = U1s+s
0
0
σ40 = σ4 · g1s = g1s+s
0
0
0
σ50 = σ5 · g2s = g2s+s .
This is straightforward for the ciphertext, so: Random(vk, pk, c, σ; r0 , s0 ) = Sign(sk, pk, c0 ; s + s0 ) where c0 = Encrypt(pk, vk, M ; r + r0 ). t u
The group structure of Zp leads to the conclusion.
Theorem 22. The Asymmetric Waters signature on ElGamal ciphertexts is unforgeable (in the UF sense) under the CDH+ assumption. Proof. Let us denote SC our above signature on ciphertexts (but omit it in the subscripts for clarity), and S the asymmetric Waters signature scheme. We know that the latter is existentially unforgeable under the CDH+ assumption. Let us assume that A is able to break the unforgeability of SC. We will build an adversary B against that asymmetric Waters signature scheme. We note that B generated the parameters for the commitments for the proof Π of knowledge of M and r so that it can extract the values. 26
– Setup(1k ): we first run the SetupS (1k ) algorithm, and get paramS = (G1 , G2 , GT , p, e, g1 , g2 , h1 , u). We set params = paramS , and parame = (G1 , G2 , GT , p, e, g1 , g2 ). B sets the commitment parameters so that it can extract committed values. $ – EKeyGen(parame ): for each new key request, B chooses one random scalar α ← Zp , and defines the secret α key dk = α, and the public key as pk = U1 = g1 . – SKeyGen(params ): for the unique signing key request, one gets the verification key vkS from the asymmetric Waters EUF-CMA security game. B sets vk = vkS . – A can now access a signing oracle, with queries of the form Sign(vk, pk, ·), for any pk and ciphertext of its choice. But the ciphertext looks like c = (c1 , c2 ) together with Π = (ΠM , Πr ). • If the tuple (c, Π) is not valid, then B returns ⊥; • Otherwise, B can extract M from the bit-by-bit proof of knowledge ΠM (which contains the extractable commitment CM ) as well as r from Πr (which contains the extractable commitment Cr ). It then queries SignS (skS , M ) to the signing oracle, and add (vk, M ) to the SM set. It receives back σ 0 = (σ10 = sk · F(M )s , σ20 = g1−s , σ30 = g2−s ). It then returns σ1 = σ10 σ20 −αr = sk · F(M )s · U1sr = sk · cs1 , σ = σ2 = σ20 −r = g1sr = cs2 , −α −1 −1 0 s 0 s 0 s σ3 = σ2 = U1 , σ4 = σ2 = g1 , σ5 = σ3 = g2 . – After a polynomial number of queries, A outputs, with non-negligible probability, a valid signature σ on a valid ciphertext (c, Π). As above, one can extract the message M , and for a valid forgery, one needs M 6= ⊥ and (M, vk) 6∈ SM. Using SigExt, as shown above, one thus gets a valid asymmetric Waters signature on M : σB = (σ1 /σ2α = sk · F(M )s , σ4−1 = g1−s , σ5−1 = g2−s ). This breaks the EUF-CMA property of the asymmetric Waters signature scheme, that holds under the CDH+ assumption. t u
D
Revisited Asymmetric Waters Signature on ElGamal Ciphertexts
Combining SXDH-based Groth-Sahai proofs with ElGamal encryption and asymmetric Waters signatures has the same drawback as our first instantiation from Section 3: bit-by-bit commitments of random coins. But again, we can significantly improve efficiency of the scheme by getting rid of this extractable scalar commitment and replacing it by extractable commitments to group elements. To do so, we combine our two variants of Waters signatures: we give an asymmetric version of the chosen-extended-message secure variant from Section 4.1: in the unforgeability game the adversary has to submit extended messages of the form (M, R1 = g1r , T = X1r ) to the signing oracle, which replies with the tuple (Y · (F(M )R1 )s , g1−s , g2−s , R1−s ), where sk = Y = hx1 and vk = (X1 = g1x , X2 = g2x ). Hence the need of X1 . Revisited Asymmetric Waters Signature – Setup(1k ): The scheme needs a pairing-friendly environment (p, G1 , G2 , GT , e, g1 , g2 ), where e : G1 ×G2 → GT is an admissible bilinear map, for groups G1 , G2 and GT , of prime order p, generated by g1 , g2 and gt = e(g1 , g2 ) respectively. $ We will sign messages M = (M1 , . . . , Mk ) ∈ {0, 1}k . To this aim, we need u = (u0 , . . . , uk ) ← Qk a vector Mi k+1 G1 , and for convenience, we denote the Waters Hash as F(M ) = u0 i=1 ui . $ We also need an additional generator h1 ← G1 . The global parameters param consist of all these elements (p, G1 , G2 , GT , e, g1 , g2 , h1 , u). $ – SKeyGen(param): Choose a random scalar x ← Zp , which defines the public key as vk = (X1 , X2 ) = (g1x , g2x ), and the secret key as sk = Y = hx . 27
– Sign(sk = Y, M, R, T ; s): First check the consistency of (R, T ): e(T, g2 ) = e(R1 , X2 ) which guarantees the expected relation on the exponents. $ For some random s ← Zp , define the signature as σ = σ1 = Y (F(M )R1 )s , σ2 = g1−s , σ3 = g2−s , σ4 = R1−s . – Verif(vk = (X1 , X2 ), M, R1 , T, σ): One checks whether e(σ1 , g2 ) · e(F(M )R1 , σ3 ) = e(h1 , X2 ), e(σ2 , g2 ) = e(g1 , σ3 ) and e(σ4 , g2 ) = e(R1 , σ3 ). Theorem 23. The revisited asymmetric Waters signature scheme is existentially unforgeable under chosenextended-message attack if CDH+ assumption holds. Proof. Let A be an adversary breaking the existential unforgeability of the above signature scheme, i.e. after at most qs signing queries, it succeeds in building a new signature with probability . Let (g1 , g2 , X1 = g1a , X2 = g2a , Y1 = g1b ) be an CDH+ -instance. We show how an adversary B can compute g1ab thanks to A. $
$
SetupS . Pick a random position j ← {0, . . . , k}, choose random indices y0 , y1 , . . . , yk ← {0, . . . , 2` − 1}, and $ random scalars z0 , z1 , . . . , zk ← Zp . One defines X = (X1 , X2 ), h1 = Y1 , u0 = hy10 −2j` g1z0 , ui = hy1i g1zi . Signing queries. To answer a signing query on a message M = (Mi ), we define X X J H = −2j` + y0 + yi Mi , J = z0 + zi Mi : F(M ) = hH 1 g1 . i
i −J/H
If H ≡ 0 (mod p) then abort, otherwise set σ = (X1 Defining s˜ = s − a/H, we have: −J/H
1/H −s g2 , T 1/H R1−s −J/H −1/H a Ja/H ta/H 1/H −a/H −˜ X1 T (h1 g1 R1 )(F(M )R1 )s˜, X1 g1 g1 s , ha1 (F(M )R1 )s˜, g1−˜s , g2−˜s , R1−˜s .
σ := X1 = =
1/H 1/H −s g1 , X2 g2−s , T 1/H R1−s ).
T −1/H (F(M )R1 )s , X1
1/H −s g1 ,
J s T −1/H (hH 1 g1 R1 ) , X1
X2
1/H −a/H −˜ g2 g2 s ,
X2
T 1/H R1−s
After at most qs signing queries A outputs a forgery σ ∗ = (σ1∗ , σ2∗ , σ3∗ , σ4∗ )) on M ∗ . As before, we define X X ∗ J∗ H ∗ = −2j` + y0 + yi Mi∗ , J ∗ = z0 + zi Mi∗ : F(M ∗ ) = hH 1 g1 . i
i ∗
∗
∗
∗
If H ∗ 6≡ 0 (mod p) then abort, otherwise, for some s∗ , σ ∗ = (ha1 (F(M ∗ )R1 )s , g1−s , g2−s , R1−s ), and thus ∗ ∗ ∗ ∗ ∗ ∗ ∗ σ ∗ = (ha1 g1J s R1s , g1−s , g2−s , R1−s ). As a consequence, σ1∗ (σ2∗ )J /σ4 = ha1 = g1ab : one has solved the CDH+ problem. As above, the latter case occurs with good probability. t u Once again, we can remark that signing and verifying can be performed without knowing the message M itself, but F = F(M ) only is enough. We can thus replace M by (F, ΠM ). Theorem 24. The revisited asymmetric Waters signature scheme is randomizable when one defines Random(vk, 0 0 0 0 (F, ΠM ), R1 , T, σ = (σ1 , σ2 , σ3 , σ4 ); s0 ) to output σ 0 = (σ1 · (F R1 )s , σ2 · g1−s , σ3 · g2−s , σ4 · R1−s ), for random $ s0 ← Zp . Proof. This is indeed valid re-randomization: σ = Sign(sk, (F, ΠM ), R, T ; s) ⇒ Random(vk, (F, ΠM ), R, T, σ; s0 ) = FSign(sk, F, R, T, ΠM ; s + s0 ). t u 28
Signature on Encrypted Messages We now want to generate a signature on an encryption of F(M ). Our improved construction just differs for the proof Πr : We now have Cr = C(X1r ) which is here to help the simulator in creating T in the reduction, together with proof Πr showing that e(hCi, g2 ) = e(c2 , X2 ) and so that C is a commitment of X1 raised to r: This equation is a linear pairing product equation. Therefore it requires 2 in G2 . We thus need 1 commitment, so 2 group elements in G1 , and the proof which requires 2 in G2 instead of 6` group elements in G1 and 6` + 2 in G2 . ΠM is constructed exactly as previously, with the same verification equations. therefore Π will be composed of 6k + 2 elements in G1 and 6k + 4 group elements in G2 . Theorem 25. Our variant of Asymmetric Waters signature on ElGamal ciphertexts is randomizable and unforgeable (in the UF sense) under the CDH+ assumption. Proof. Let us denote SC our above signature on ciphertexts (but omit it in the subscripts for clarity), and S the asymmetric Waters signature scheme. We know that the latter is existentially unforgeable under the CDH+ assumption. Let us assume that A is able to break the unforgeabilty of SC. We will build an adversary B against that asymmetric Waters signature scheme. We note that B generated the parameters for the commitments for the proof Π of knowledge of M , r, so that it can extract the values. – Setup(1k ): we first run the SetupS (1k ) algorithm, and get paramS = (G1 , G2 , GT , p, e, g1 , g2 , h1 , u). We set params = paramS , and parame = (G1 , G2 , GT , p, e, g1 , g2 ). B sets the commitment parameters so that it can extract committed values. $ – EKeyGen(parame ): for each new key request, B chooses one random scalar α ← Zp , and defines the secret key dk = α, and the public key as pk = U1 = g1α . – SKeyGen(params ): for the unique signing key request, one gets the verification key vkS from the Waters EUF-CMA security game. B sets vk = vkS . – A can now access a signing oracle, with queries of the form Sign(vk, pk, ·), for any pk and ciphertext of its choice. But the ciphertext looks like c = (c1 , c2 ) together with Π = (ΠM , Πr ). • If the tuple (c, Π) is not valid, then B returns ⊥; • Otherwise, B can extract M from the proof of knowledge ΠM that contains the extractable bit-bybit commitment CM . B can also compute R1 = g1r , and extract T = X1r from Πr , that contains the extractable (not bit-by-bit) commitment Cr = C(X1r ). It then queries SignS (skS , M, R1 , T ) to the signing oracle, and adds (vk, M ) to the SM set. It receives back σ 0 = (σ10 = sk(F(M )R1 )s , σ20 = g1−s , σ30 = g2−s , σ40 = R1−s ). It then returns σ1 = σ10 · σ40 1−α = sk · F(M )s · U1sr = sk · cs1 , σ = σ2 = σ40 −1 = g1sr = cs2 , σ3 = σ20 −α = U1s , . σ4 = σ20 −1 = g1s , σ5 = σ30 −1 = g2s
– After a polynomial number of queries, A outputs, with non-negligible probability, a valid signature σ on a valid ciphertext (c, Π). As above, one can extract the message M , and for a valid forgery, one needs M 6= ⊥ and (M, vk) 6∈ SM. Using SigExt, as shown above, one thus gets a valid asymmetric Waters signature on M : σB = (σ1 /σ2α = sk · F(M )s , σ4−1 = g1−s , σ5−1 = g2−s ). This breaks the EUF-CMA property of our variant of the asymmetric Waters signature scheme, that holds under the CDH+ assumption. t u
29